We help IT Professionals succeed at work.

Hacked by my own server?

jpertchik
jpertchik asked
on
Medium Priority
302 Views
Last Modified: 2013-11-22
Here is a report of something i got from my antivirus software server (We use Kasperski Enterprise):

Event Hacker attack detection happened on computer FHALE in the domain OWPRNETWORK at Mon Feb 16 10:56:44 2009 Intrusion.Win.LSASS.exploit! Attacker's IP address: 192.168.1.15. Protocol/service: TCP on local port 139. Time: 2/16/2009 10:56:44 AM

Attacker's IP address: 192.168.1.15 is my domain controller, file server, print server...

Sould i be freaking Yet?

What do i do?

Thanks as usual,

JPertchik
Comment
Watch Question

The LSASS exploit was patched in XP SP2, and is blocked by the firewall when it comes from the internet, and finally Kaspersky detects and blocks it as well. So the workstation is safe. But the fact that it's coming from your domain controller is disconcerting. Those kind of attacks typically come from somewhere out on the internet.

If you have a rogue process running on your domain controller, your whole network is compromised and it's reason to be freaking. Examine the DC thoroughly for anything suspicious. Run antivirus scans, run hijackthis, run sysinternals process explorer and sysinternals autoruns, identify any strange looking processes or services, and terminate them.

If you were compromised, check your users and your group policies for suspicious entries. If I were a hacker and I gained control over a domain controller, first thing I'd do is create an administrator user so that I have free reign over the whole network. Look for strange shares or permissions added to critical folder shares, newly created users, and administrator users which have had their passwords changed.

Good luck

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Mohamed OsamaSenior IT Consultant
CERTIFIED EXPERT

Commented:
In addition to the above advice, please check your DC & other servers for missing Operating system or other critical Patches, Microsoft Baseline Security Analyzer is a good tool to assist here.

Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.