Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 33

Thread: Cracker Trying To Get In...

  1. #11
    Senior Member
    Join Date
    Aug 2001
    Posts
    356
    Here are the ports I have open on the server: 135, 445, 1025, 1131, 1214, 1597, 1601, 3312, 3313, 5000

    I do not have the servers behind a firewall.

    khakisrule, thanks for the suggestion. IIS FTP does not have that feature. I'm going to look into some alternative FTP servers and find one that offers that feature.

    Can anyone explain to me how I can stop that share information from being displayed, along with how to stop the account dump?
    An Ounce of Prevention is Worth a Pound of Cure...
     

  2. #12
    Senior Member
    Join Date
    Jun 2002
    Posts
    165
    firewall that bad boy, before it turns into either a warez site or a launch pad for attack against other unprotected computers...which brings to light one question - have you tried running nbtdump against the supposed host that the attack is originating from?
    -droby10

  3. #13
    Senior Member
    Join Date
    Aug 2001
    Posts
    356
    droby10, I'm not sure how to go about getting a firewall. Here is my situation:

    I have two web servers on a DSL connection. I purchase IP Addresses from my DSL provider when I get new web sites to host. I have about 6 IP Addresses from them.

    What kind of hardware firewall can I use for a setup like that? Any online stores anyone can refer me to? I actually asked about this a few months ago, but no one could help me out with a firewall to go along with my current setup.

    This netbios thing is still bugging me out. Is there anyway to stop that other than blocking the port from the outside world with a firewall? Anyway to disable it for now at least until I get a firewall, and what would be any negative results of me doing that?

    Sorry for all the questions, but I just want to get this locked down asap due to this cracker currently trying to get in. Thanks again everyone.
    An Ounce of Prevention is Worth a Pound of Cure...
     

  4. #14
    Senior Member
    Join Date
    Jun 2002
    Posts
    165
    "IIS FTP does not have that feature"

    you can limit who and where people log in from with IIS 5.

    suggested search and reading topics:

    - win2k domain/local policies
    - IIS lockdown measures
    - null sessions

    you asked earlier about null sessions, the null session may be something that is vital to your infrastructure - but there's no reason to allow it out in the open, so at least firewall it. otherwise i would suggest disabling it. IT is what allows for the enumeration of shares, users, services, etc.

    quick fix, !!!!if it's not vital to infrastructure!!!!

    then change the registry key for:

    HKLM\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous

    from DWORD 0 to 1 or 2 (depends on your needs). i would start out with 2 as it usually makes the most sense.
    -droby10

  5. #15
    Here is one ftp server, http://download.com.com/3000-2165-24...ml?tag=lst-0-1 the G6 ftp server. It supports anti-hammering which means it will block the user from connecting if they try to connect too many times or too fast.
    http://download.com.com/3000-2165-10...ml?tag=lst-0-9 looks ok, it supports a ban feature.
    http://download.com.com/3000-2165-10...l?tag=lst-0-13 I put guild-ftp in here because it also supports banning and anti-hammering but is free, unlike the other two which are only free to try.
    These are just a few of the ftp servers I found on the first page of a search at download.com, so I imagine there are many ftp servers that have the anti-hammering feature. Look for it, I am sure you will find one to your liking. Good luck.

  6. #16
    Senior Member
    Join Date
    Aug 2001
    Posts
    356
    you can limit who and where people log in from with IIS 5.
    I have started blocking the IP Addresses as they come in. They are constantly changing though. This guy is really annoying.

    suggested search and reading topics:

    - win2k domain/local policies
    - IIS lockdown measures
    - null sessions
    I just got done reading the IIS 5 Security Check list, and the Windows 2000 Security check list on the MS web site. I did everything they suggested.

    you asked earlier about null sessions, the null session may be something that is vital to your infrastructure - but there's no reason to allow it out in the open, so at least firewall it. otherwise i would suggest disabling it. IT is what allows for the enumeration of shares, users, services, etc.
    As soon as I get a firewall it is getting blocked. That is the first thing I am doing as soon as I hook the firewall up. Unfortunately, I'm really not sure if it is vital to my infrastructure or not. It is installed by default. I'm searching the web right now for more information on it. And I probably will disable it.
    An Ounce of Prevention is Worth a Pound of Cure...
     

  7. #17
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Indeed, download a firewall, be it zonealarm, tiny firewall, outpost...
    Only let in port 21 and 20. (if you want to allow pasv (passive) ftp transfers, you will need to open a bunch of high ports (6000-65535 for say..) too.)
    If you run a web server, let in port 80 also.

    Make sure ports 135-139 as well as 445 are firewalled: these are microsoft networking ports (netbios over tcp (nbt)).
    If you are not using file sharing, go in network properties and remove "file and printer sharing for microsoft network".

    If you are using file sharing on an internal network and the ftp server abseloutly has to be able to share too, and the computer is multihomed (it has 2 network cards, one on the LAN, one on the internet) - not recommanded-, go to network and dial-up connections, click the advanced menu and select advacend settings, select the network card of on the internet in the top list box, and uncheck file and printer sharing and client for microsoft network.
    Also make sure that the ports mentionned above are well firewalled.

    Also, go in control panel, administrative tools, local security settings, local policies, security options, double click additional restrictions for anonymous connections, select no access without explicit anonymous permission.

    That should be a good first step in getting you secured.

    From what you've told us up to now, your current setup is REALLY NOT SECURE! It's a good thing you asked us!

    Ammo
    Credit travels up, blame travels down -- The Boss

  8. #18
    Senior Member
    Join Date
    Jun 2002
    Posts
    165
    at least the passwords weren't stored in the user comments...right?
    -droby10

  9. #19
    Senior Member n01100110's Avatar
    Join Date
    Jan 2002
    Posts
    352
    Well first of all , if you have file shares on your system , one way of protecting them from not appearing in Legion or any other lame file share searcher , when you are in the network menu and configuring your shares , say the share name was called MY_DOCS ; what you wanna do is append a $ at the end of the share name (IE MY_DOCS$)presto , it is hidden from remote attackers.This was not intended to solve the problem your facing , but it will help you all that much more
    -N
    "Serenity is not the absence of conflict, but the ability to cope with it."

  10. #20
    Senior Member
    Join Date
    Aug 2001
    Posts
    356
    Ammo, yes it is a good thing I asked. You guys have helped out so much, and I have learned a great deal in the past couple of hours.

    at least the passwords weren't stored in the user comments...right?
    Oops.... just kidding

    I think I have the server locked down a lot better than it was before, I just really need to get a firewall now. I'm a little sketchy on installing a software firewall on my Windows 2000 Server box. Has anyone done this with ZoneAlarm? I have been very pleased with ZoneAlarm on my personal PC, but I don't know how it would act on a Windows 2000 Server machine.

    OK... Just disabled netbios over tcp/ip all together and nbtdump no longer displays any of the information. I am so damn happy now. I feel much safer... I am still shocked that that is enabled by default especially on a web server.

    So anyone have any other suggestions on where to go from here to secure my servers? This whole experience has been an eye opener. I was always under the impression that as long as you keep up to date with patches you will be all good. I guess I almost became a statistic today.

    Thank you again everyone for all your help.
    An Ounce of Prevention is Worth a Pound of Cure...
     

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •