Getting Hacked NOW
Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: Getting Hacked NOW

  1. #1
    Senior Member
    Join Date
    Jan 2004
    Posts
    172

    Getting Hacked NOW

    So i'm doing my daily admin stuff and I run into about 200 or more log entries all from the same workstation trying just about every account in AD. However all I have is the following

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Account Logon
    Event ID: 681
    Date: 10/28/2005
    Time: 11:32:11 AM
    User: NT AUTHORITY\SYSTEM
    Computer: NET1
    Description:
    The logon to account: Accounting
    by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    from workstation: GALKENSON
    failed. The error code was: 3221226036

    I need to find the IP and preferably who the hell is doing this. any ideas would be great

    Windows 2000, Active Directory.

    HELP

  2. #2
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    do a nslookup on the workstation name.

    if that doesn't work then find your WINS server (assuming you have WINS enabled) and do the lookup manually that way.

    Either way you will find the IP address of the offending workstation. Then go visit them and find out what is going on. That box /could/ have been compromised from outside and is a hopping point to the rest of your network.

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

  3. #3
    Senior Member Opus00's Avatar
    Join Date
    May 2005
    Posts
    144
    You could also look at the arp table, the IP information stays around(a short period) even after the connections have dropped. Try "arp -a" it will give you a list of IP's that have connected, your "attacker" may be one of them.
    There are two rules for success in life:
    Rule 1: Don't tell people everything you know.

  4. #4
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hi,

    The error messages are account lockout responses. I am surprised that the user hasn't complained.

    I don't know your naming conventions but do you have a G. Alkenson working there?

    I would be inclined to pull the box and scan it in safe mode for malware......................sounds like some sort of bot or backdoor to me? I would definitely take it offline until I had resolved the issue.

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  5. #5
    Senior Member
    Join Date
    Jan 2004
    Posts
    172
    we don't have wins enabled, however I located an IP in one of the logs when he tried to hit a local computer account. IP is 82.52.2.153.

    I did a winfo 82.52.2.153 -n and got some info, such as user accounts logged in Lucios and other accounts on the machine(Admin, Marcios) as well as what OS - Win2000. However my computer than decided to blue screen and when I returned the null share hole in his computer was fixed, but luckily not before I pulled all the ip addresses that it was connected to

    they all had the 82.52 but the last 2 octets changed

    2.16
    123.53
    150.238
    127.138
    40.159
    134.187
    156.137
    72.124
    185.150

    I'm in the process of NMAPing and using Nessus to figure out some more info. So far I'm trying to contact the Service provider of that IP range. I believe its isolated to either Italy or Amsterdam.

  6. #6
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    Originally posted here by nihil
    Hi,

    The error messages are account lockout responses. I am surprised that the user hasn't complained.

    I don't know your naming conventions but do you have a G. Alkenson working there?

    I would be inclined to pull the box and scan it in safe mode for malware......................sounds like some sort of bot or backdoor to me? I would definitely take it offline until I had resolved the issue.

    yeah he's probably about to have all the users in the AD give him a call because their accounts are locked out. He said it looks to be progressively scanning all user accounts in the AD... so I'm betting someone installed something like Retina on that box and misconfigured it, or there is malware on that box doing something bad, or perhaps the box has been compromised and is being used to scan the network looking for weak passwords (and once again someone misconfigured the utility to do it).

    These are just guesses though. I would find the IP address first, then yank it from the network to isolate it. Then sit at the desk and see who calls up complaining


    actaully I would go visit the box in question after yanking it, but you never know if it is an authorized scan from a different group.

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

  7. #7
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    hrm, just saw your response. So you are saying these scans are originating from outside of your network to your internal network?

    What kind of firewall are you guys running? Just drop connections from that IP address and be done with it. But then you are going to have to scan your entire network to make sure they didn't get in to anything in there.

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

  8. #8
    Senior Member
    Join Date
    Jan 2004
    Posts
    172
    just this one box on the inside has an external ip for customer connection purposes.

  9. #9
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    We used to get this all the time. We ended up using IPSec to block all but the necessary ports to prevent the AD lockout issue. Essentially, that is what this attack is, to lock out your AD accounts. The result is that accounts get locked out and then in about 30 minutes or whatever your settings are, they come back. Problem is, admin and service accounts get nailed, too.

    You can block this on the perimeter, to an extent, but the IPSec solution is the best and most effective.

  10. #10
    Senior Member
    Join Date
    Jul 2004
    Posts
    469
    IPSec is a VPN standard, not really a firewall standard or a way to block ports.

    It sounds like you have some serious openings that shouldn't be open. Do you have 137-139 open to the internet?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •