Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

server hacked?

Posted on 2004-08-12
2
Medium Priority
?
284 Views
Last Modified: 2013-12-04
About 4 days ago I had a bunch of failure audits with Event ID 627 in my Security Logs, as well as few success audits with Event ID 642 saying user account changed for the administrator account. I am pretty sure this happened through remote access channels and/or using null sessions. I had an almost 128 bit long passphrase for the administrator account -- so it did not seem susceptible to "dictionary" style attack or even brute force attack unless somebody used a sniffer to monitor the traffic between my laptop and the server whenever I would administer the server remotely through windows RDP & I did that quite often. All this happened even though I have a hardware & a software firewall.
I have completely reformatted the server (running Windows 2003 Enterprise) three times, disabled the null sessions/admin share in the registry, disabled netbios & set deny access to the computer from the network in my security policies,&  enabled port filtering.
My question is: How safe is it use to my visual studio solutions & project files with code behind & image files that I copied from the server before I reformatted it? Also, can I use the sql server database that I backed up before I reformatted the server, and restore it on the newly built system? Is there any possibility that the attacker might have "embedded" some hidden files in my Visual Studion solutions & project files, as well my sql server database, so that my copied VS solutions & the database backup are somehow "infected"? Will I need to completely rebuild my database from scratch as well as my visual studio projects on the newly built system instead of using the ones that I copied?
Thanks.

PS: On second thoughts, could this have been the MBSA I had used that day on the system that generated all these security log events? If  that is true, then the whole reformatting was an exercise in futility! But why would MBSA try to change my administrator account ( although it did have the username as "Administrator") when I had a terribly long and complex passphrase? Besides the pop3 accounts on the local system -- these accounts do not have logon privileges on the local system -- it also played with my guest, support, and ASP.NET account, although the first two were disabled. All the security log events with failure audits happened within 10 seconds & repeated again after three hours. I am not sure if I used the MBSA at the same time these log events were recorded. confused.
0
Comment
Question by:shaileshmark
2 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 2000 total points
ID: 11787287
Reguardless of length, windows (nt through 2003) by default uses LM and NTLM hashes. NTLM passes can be only 56 chars long, and is case sensitive, and LM is 14 chrs long- but split into 2 7char long hashes, and CASE INSENSITIVE. MBSA could trigger this alert, or is capable of it- It will at least looks at the lenght of your passes to see if they are too short I think... but not sure if it tries any sort of BF against any accounts- in fact I'm pretty sure it won't. There are other triggers, like your ASP.NET that are possible http://support.microsoft.com/default.aspx?scid=kb;EN-US;842789 for example...
More on the differences in the hashes :
http://is-it-true.org/nt/atips/atips92.shtml (LanMan)
http://www.winnetmag.com/Articles/Index.cfm?ArticleID=7072 (JohntheRipper is much faster than L0pht)
-rich


0
 

Author Comment

by:shaileshmark
ID: 11787752
Hi rich -- I started using the long passphrases after reading the following article:
http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx
Sorry -- I still haven't figured out how to make it into a link.

just a response to your remark about LM & NTLM hashes.

At any rate, I am equally, if not more, interested in knowing how far was my system compromised only with reference to whether or not I can use the Visual Studio Projects & SqlServer backups from the "tainted" machine before I reformatted it -- I don't know how many number of times!
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
OfficeMate Freezes on login or does not load after login credentials are input.
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question