Solved

server hacked?

Posted on 2004-08-12
2
228 Views
Last Modified: 2013-12-04
About 4 days ago I had a bunch of failure audits with Event ID 627 in my Security Logs, as well as few success audits with Event ID 642 saying user account changed for the administrator account. I am pretty sure this happened through remote access channels and/or using null sessions. I had an almost 128 bit long passphrase for the administrator account -- so it did not seem susceptible to "dictionary" style attack or even brute force attack unless somebody used a sniffer to monitor the traffic between my laptop and the server whenever I would administer the server remotely through windows RDP & I did that quite often. All this happened even though I have a hardware & a software firewall.
I have completely reformatted the server (running Windows 2003 Enterprise) three times, disabled the null sessions/admin share in the registry, disabled netbios & set deny access to the computer from the network in my security policies,&  enabled port filtering.
My question is: How safe is it use to my visual studio solutions & project files with code behind & image files that I copied from the server before I reformatted it? Also, can I use the sql server database that I backed up before I reformatted the server, and restore it on the newly built system? Is there any possibility that the attacker might have "embedded" some hidden files in my Visual Studion solutions & project files, as well my sql server database, so that my copied VS solutions & the database backup are somehow "infected"? Will I need to completely rebuild my database from scratch as well as my visual studio projects on the newly built system instead of using the ones that I copied?
Thanks.

PS: On second thoughts, could this have been the MBSA I had used that day on the system that generated all these security log events? If  that is true, then the whole reformatting was an exercise in futility! But why would MBSA try to change my administrator account ( although it did have the username as "Administrator") when I had a terribly long and complex passphrase? Besides the pop3 accounts on the local system -- these accounts do not have logon privileges on the local system -- it also played with my guest, support, and ASP.NET account, although the first two were disabled. All the security log events with failure audits happened within 10 seconds & repeated again after three hours. I am not sure if I used the MBSA at the same time these log events were recorded. confused.
0
Comment
Question by:shaileshmark
2 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
Comment Utility
Reguardless of length, windows (nt through 2003) by default uses LM and NTLM hashes. NTLM passes can be only 56 chars long, and is case sensitive, and LM is 14 chrs long- but split into 2 7char long hashes, and CASE INSENSITIVE. MBSA could trigger this alert, or is capable of it- It will at least looks at the lenght of your passes to see if they are too short I think... but not sure if it tries any sort of BF against any accounts- in fact I'm pretty sure it won't. There are other triggers, like your ASP.NET that are possible http://support.microsoft.com/default.aspx?scid=kb;EN-US;842789 for example...
More on the differences in the hashes :
http://is-it-true.org/nt/atips/atips92.shtml (LanMan)
http://www.winnetmag.com/Articles/Index.cfm?ArticleID=7072 (JohntheRipper is much faster than L0pht)
-rich


0
 

Author Comment

by:shaileshmark
Comment Utility
Hi rich -- I started using the long passphrases after reading the following article:
http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx
Sorry -- I still haven't figured out how to make it into a link.

just a response to your remark about LM & NTLM hashes.

At any rate, I am equally, if not more, interested in knowing how far was my system compromised only with reference to whether or not I can use the Visual Studio Projects & SqlServer backups from the "tainted" machine before I reformatted it -- I don't know how many number of times!
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now