Solved

server hacked?

Posted on 2004-08-12
2
250 Views
Last Modified: 2013-12-04
About 4 days ago I had a bunch of failure audits with Event ID 627 in my Security Logs, as well as few success audits with Event ID 642 saying user account changed for the administrator account. I am pretty sure this happened through remote access channels and/or using null sessions. I had an almost 128 bit long passphrase for the administrator account -- so it did not seem susceptible to "dictionary" style attack or even brute force attack unless somebody used a sniffer to monitor the traffic between my laptop and the server whenever I would administer the server remotely through windows RDP & I did that quite often. All this happened even though I have a hardware & a software firewall.
I have completely reformatted the server (running Windows 2003 Enterprise) three times, disabled the null sessions/admin share in the registry, disabled netbios & set deny access to the computer from the network in my security policies,&  enabled port filtering.
My question is: How safe is it use to my visual studio solutions & project files with code behind & image files that I copied from the server before I reformatted it? Also, can I use the sql server database that I backed up before I reformatted the server, and restore it on the newly built system? Is there any possibility that the attacker might have "embedded" some hidden files in my Visual Studion solutions & project files, as well my sql server database, so that my copied VS solutions & the database backup are somehow "infected"? Will I need to completely rebuild my database from scratch as well as my visual studio projects on the newly built system instead of using the ones that I copied?
Thanks.

PS: On second thoughts, could this have been the MBSA I had used that day on the system that generated all these security log events? If  that is true, then the whole reformatting was an exercise in futility! But why would MBSA try to change my administrator account ( although it did have the username as "Administrator") when I had a terribly long and complex passphrase? Besides the pop3 accounts on the local system -- these accounts do not have logon privileges on the local system -- it also played with my guest, support, and ASP.NET account, although the first two were disabled. All the security log events with failure audits happened within 10 seconds & repeated again after three hours. I am not sure if I used the MBSA at the same time these log events were recorded. confused.
0
Comment
Question by:shaileshmark
2 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 11787287
Reguardless of length, windows (nt through 2003) by default uses LM and NTLM hashes. NTLM passes can be only 56 chars long, and is case sensitive, and LM is 14 chrs long- but split into 2 7char long hashes, and CASE INSENSITIVE. MBSA could trigger this alert, or is capable of it- It will at least looks at the lenght of your passes to see if they are too short I think... but not sure if it tries any sort of BF against any accounts- in fact I'm pretty sure it won't. There are other triggers, like your ASP.NET that are possible http://support.microsoft.com/default.aspx?scid=kb;EN-US;842789 for example...
More on the differences in the hashes :
http://is-it-true.org/nt/atips/atips92.shtml (LanMan)
http://www.winnetmag.com/Articles/Index.cfm?ArticleID=7072 (JohntheRipper is much faster than L0pht)
-rich


0
 

Author Comment

by:shaileshmark
ID: 11787752
Hi rich -- I started using the long passphrases after reading the following article:
http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx
Sorry -- I still haven't figured out how to make it into a link.

just a response to your remark about LM & NTLM hashes.

At any rate, I am equally, if not more, interested in knowing how far was my system compromised only with reference to whether or not I can use the Visual Studio Projects & SqlServer backups from the "tainted" machine before I reformatted it -- I don't know how many number of times!
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question