Guest just bob Posted March 16, 2008 Posted March 16, 2008 Microsoft wizards please help me as I am desperate. Someone continues to lock all my admin accounts. My firewall is working properly (allowing only port 53) so I think the guy is using one of the 120 PC's or another server on my network to read my user database and identify the admin accounts and send a command to lock them. We've got the latest Symantec antivirus corporate edition installed and updated on all the machines and it's supposed to identify spyware, etc. Why is it so easy for this guy to do this? I have downloaded all the high priority updates for all machines, servers and PC's. We've also used the server lockdown tool. Why doesn't this help? Most importantly, why does Microsoft not give me more detailed info on which machine this guy is using? The event log just has a random spoof machine name. Last time he did this he spoofed the machine name field to say "sorry". I got lucky there was one admin account he missed and I was able to unlock the accounts. Next time I fear I will not be so lucky. If there is a better group or forum to use or consultant I can call to get help please advise.
Guest Tomasz Onyszko Posted March 16, 2008 Posted March 16, 2008 Re: Hacker locking my accounts just bob wrote: > Microsoft wizards please help me as I am desperate. Someone continues to > lock all my admin accounts. My firewall is working properly (allowing only > port 53) so I think the guy is using one of the 120 PC's or another server > on my network to read my user database and identify the admin accounts and > send a command to lock them. We've got the latest Symantec antivirus > corporate edition installed and updated on all the machines and it's > supposed to identify spyware, etc. Why is it so easy for this guy to do > this? I have downloaded all the high priority updates for all machines, > servers and PC's. We've also used the server lockdown tool. Why doesn't this > help? Most importantly, why does Microsoft not give me more detailed info on > which machine this guy is using? The event log just has a random spoof > machine name. Last time he did this he spoofed the machine name field to say > "sorry". I got lucky there was one admin account he missed and I was able > to unlock the accounts. Next time I fear I will not be so lucky. > > If there is a better group or forum to use or consultant I can call to get > help please advise. It doesn't necessary has to be a hacker trying to breach your network - it might be (and it is more likely ) old service or mapped network share which is using old administrator account. Try to use these tools to troubleshoot the cause of your problems: http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en -- Tomasz Onyszko http://www.w2k.pl/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN)
Guest Andrew Lomakin Posted March 16, 2008 Posted March 16, 2008 Re: Hacker locking my accounts Bob, The best suggestion for you would be to reinstall all network computers (including the server), BUT if you want to find out where is the noise coming from, you might want to capture network traffic, and then try to analyze it, or see if someone here can help you to analyze it. You can try to capture traffic using tool called `wireshark` - http://www.wireshark.org, but also you need to identify how is hacker getting into your network... Regards, Andrew "just bob" <kilbyfan@aol.com> wrote in message news:47dd8adc$0$84236$742ec2ed@news.sonic.net... > Microsoft wizards please help me as I am desperate. Someone continues to > lock all my admin accounts. My firewall is working properly (allowing only > port 53) so I think the guy is using one of the 120 PC's or another server > on my network to read my user database and identify the admin accounts and > send a command to lock them. We've got the latest Symantec antivirus > corporate edition installed and updated on all the machines and it's > supposed to identify spyware, etc. Why is it so easy for this guy to do > this? I have downloaded all the high priority updates for all machines, > servers and PC's. We've also used the server lockdown tool. Why doesn't > this help? Most importantly, why does Microsoft not give me more detailed > info on which machine this guy is using? The event log just has a random > spoof machine name. Last time he did this he spoofed the machine name > field to say "sorry". I got lucky there was one admin account he missed > and I was able to unlock the accounts. Next time I fear I will not be so > lucky. > > If there is a better group or forum to use or consultant I can call to get > help please advise. >
Guest Paul Weterings Posted March 16, 2008 Posted March 16, 2008 Re: Hacker locking my accounts Hey Bob, Didn't we talk before on this? I recall advising WireShark. However, reading the below I'm getting a better impression of what is happening. Microsoft IS giving you the correct information to find the person doing this, depending on how you have things running. Forgive me if below I'm going too 'low level', it's pretty basic stuff, but your mail sounds like your at the end of your rope, and I just want to make sure we've covered all the bases, including the obvious ones. From what your writing this sounds like a brute force password guessing tools that is being used against your administrative accounts. To start there's a few things your can do with group policies to at least make sure you don't get into trouble, while making things harder for the 'hacker'. The following steps are just to 'temporarily protect yourself' while investigating further, to make sure you accounts aren't getting locked out. Again: I'm not trying to sound demeaning, just covering the bases/basics, so I'll go through every step, even though this may be peanuts for you. Chapter one: protection. In the Group and Policy Manager; make sure to edit the Default Domain Policy and go to the Windows Settings\Security Settings\Account Lockout Policy. Define the Account lockout duration to be not defined Account lockout threshold: 0 invalid logon attempts Reset account lockout counter after: not defined Now your accounts will no longer be locked out. Be careful, as this also allows the hacker to run his tools now unlimitedly against the accounts. (the lockout slowed him down considerably). I'm only proposing this as you point our that you fear losing your administrative accounts, but put this lockout threshold back in place a.s.a.p. if you decide to go this route in the first place. Chapter two: identifying the hacker This we can do by making sure Audit account logon events are being audited correctly. To do this, we again are using Group Policy Management and we'll define the Default Domain Controllers Policy. INthat policy, go to Windows Settings\Security Settings\Local Policies/Audit Policy and make sure to change 'Audit account logon events'. See to it that Success as well as Failure (especially that one) are being logged. To ensure your Domain controllers have the policy applied as quickly as possible you might consider runninf 'GPUpdate /force' from the command prompt on your CD's. Otherwise allow some time to pass. Now each logon event will get logges in the eventlog, with the IP address of the person attempting to logon. The problem is that a user can logon using any domain controller, however; each failed logon on any DC gets 'double checked' by that DC by sending it to the domains PDC emulator (on of the FSMO roles as you may recall) so it makes most sense to check the eventlogs of the PCD emulator Domain Controller. You can easily find out who the PDC emulator is by opening Active Directory User and computers, right-clicking your domain name, and selecting 'operations masters'. The event-ID you are looking for is event: 575, Source: Security, Category: Account Logon. In the Description field you can see the user name of the account being attempted, but more importantly: the IP number of the system from where the attempt is being done. I hope this helps you, sorry for wasting your time if you had already done the above. regards, Paul just bob wrote: > Microsoft wizards please help me as I am desperate. Someone continues to > lock all my admin accounts. My firewall is working properly (allowing only > port 53) so I think the guy is using one of the 120 PC's or another server > on my network to read my user database and identify the admin accounts and > send a command to lock them. We've got the latest Symantec antivirus > corporate edition installed and updated on all the machines and it's > supposed to identify spyware, etc. Why is it so easy for this guy to do > this? I have downloaded all the high priority updates for all machines, > servers and PC's. We've also used the server lockdown tool. Why doesn't this > help? Most importantly, why does Microsoft not give me more detailed info on > which machine this guy is using? The event log just has a random spoof > machine name. Last time he did this he spoofed the machine name field to say > "sorry". I got lucky there was one admin account he missed and I was able > to unlock the accounts. Next time I fear I will not be so lucky. > > If there is a better group or forum to use or consultant I can call to get > help please advise. > >
Guest Al Dunbar Posted March 17, 2008 Posted March 17, 2008 Re: Hacker locking my accounts "Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message news:47dd9c88$0$7548$e4fe514c@dreader28.news.xs4all.nl... > Hey Bob, Didn't we talk before on this? I recall advising WireShark. > > However, reading the below I'm getting a better impression of what is > happening. Microsoft IS giving you the correct information to find the > person doing this, depending on how you have things running. > > Forgive me if below I'm going too 'low level', it's pretty basic stuff, > but your mail sounds like your at the end of your rope, and I just want to > make sure we've covered all the bases, including the obvious ones. > > From what your writing this sounds like a brute force password guessing > tools that is being used against your administrative accounts. While that could certainly be the case, it seems just as likely to be somebody running a script designed to lock administrative accounts by using their credentials continually with an invalid password. > To start there's a few things your can do with group policies to at > least make sure you don't get into trouble, while making things harder for > the 'hacker'. > > The following steps are just to 'temporarily protect yourself' while > investigating further, to make sure you accounts aren't getting locked > out. Again: I'm not trying to sound demeaning, just covering the > bases/basics, so I'll go through every step, even though this may be > peanuts for you. > > Chapter one: protection. > > In the Group and Policy Manager; make sure to edit the Default Domain > Policy and go to the Windows Settings\Security Settings\Account Lockout > Policy. > > Define the Account lockout duration to be not defined > Account lockout threshold: 0 invalid logon attempts > Reset account lockout counter after: not defined > > Now your accounts will no longer be locked out. Be careful, as this also > allows the hacker to run his tools now unlimitedly against the accounts. > (the lockout slowed him down considerably). I'm only proposing this as you > point our that you fear losing your administrative accounts, but put this > lockout threshold back in place a.s.a.p. if you decide to go this route in > the first place. > > > Chapter two: identifying the hacker > > This we can do by making sure Audit account logon events are being audited > correctly. To do this, we again are using Group Policy Management and > we'll define the Default Domain Controllers Policy. INthat policy, go to > Windows Settings\Security Settings\Local Policies/Audit Policy and make > sure to change 'Audit account logon events'. See to it that Success as > well as Failure (especially that one) are being logged. > > To ensure your Domain controllers have the policy applied as quickly as > possible you might consider runninf 'GPUpdate /force' from the command > prompt on your CD's. Otherwise allow some time to pass. > > Now each logon event will get logges in the eventlog, with the IP address > of the person attempting to logon. The problem is that a user can logon > using any domain controller, however; each failed logon on any DC gets > 'double checked' by that DC by sending it to the domains PDC emulator (on > of the FSMO roles as you may recall) so it makes most sense to check the > eventlogs of the PCD emulator Domain Controller. You can easily find out > who the PDC emulator is by opening Active Directory User and computers, > right-clicking your domain name, and selecting 'operations masters'. A question: does the IP address of the person get logged, even if they are not attempting to logon, but to just, for example, map a share or use the runas command? Those techniques could be used by a brute-force password guessing program, but I am not sure if it is flagged as a logon event. > The event-ID you are looking for is event: 575, Source: Security, > Category: Account Logon. > > In the Description field you can see the user name of the account being > attempted, but more importantly: the IP number of the system from where > the attempt is being done. > > > I hope this helps you, sorry for wasting your time if you had already done > the above. > > regards, > > Paul > > > > > just bob wrote: >> Microsoft wizards please help me as I am desperate. Someone continues to >> lock all my admin accounts. My firewall is working properly (allowing >> only port 53) so I think the guy is using one of the 120 PC's or another >> server on my network to read my user database and identify the admin >> accounts and send a command to lock them. We've got the latest Symantec >> antivirus corporate edition installed and updated on all the machines and >> it's supposed to identify spyware, etc. Why is it so easy for this guy to >> do this? I have downloaded all the high priority updates for all >> machines, servers and PC's. We've also used the server lockdown tool. Why >> doesn't this help? Most importantly, why does Microsoft not give me more >> detailed info on which machine this guy is using? The event log just has >> a random spoof machine name. Last time he did this he spoofed the machine >> name field to say "sorry". I got lucky there was one admin account he >> missed and I was able to unlock the accounts. Next time I fear I will not >> be so lucky. >> >> If there is a better group or forum to use or consultant I can call to >> get help please advise.
Guest just bob Posted March 17, 2008 Posted March 17, 2008 Re: Hacker locking my accounts "Tomasz Onyszko" <t.onyszko_spam_@w2k.pl> wrote in message news:47DD9046.10605@w2k.pl... > just bob wrote: >> Microsoft wizards please help me as I am desperate. Someone continues to >> lock all my admin accounts. My firewall is working properly (allowing >> only port 53) so I think the guy is using one of the 120 PC's or another >> server on my network to read my user database and identify the admin >> accounts and send a command to lock them. We've got the latest Symantec >> antivirus corporate edition installed and updated on all the machines and >> it's supposed to identify spyware, etc. Why is it so easy for this guy to >> do this? I have downloaded all the high priority updates for all >> machines, servers and PC's. We've also used the server lockdown tool. Why >> doesn't this help? Most importantly, why does Microsoft not give me more >> detailed info on which machine this guy is using? The event log just has >> a random spoof machine name. Last time he did this he spoofed the machine >> name field to say "sorry". I got lucky there was one admin account he >> missed and I was able to unlock the accounts. Next time I fear I will not >> be so lucky. >> >> If there is a better group or forum to use or consultant I can call to >> get help please advise. > > It doesn't necessary has to be a hacker trying to breach your network - it > might be (and it is more likely ) old service or mapped network share > which is using old administrator account. ???? The guy spoofs the machine name different every time. Last time he called it "sorry"
Guest just bob Posted March 17, 2008 Posted March 17, 2008 Re: Hacker locking my accounts Hi Paul, Thanks, no not a waste of time at all. I might turn the locking off as you describe. Also I'm pretty sure I have my logging setup OK as I am using a program to copy the logs from the OM to another machine and also it sends me an email when it sees a string which indicates an account is locked which is forwarded to my Blackberry. So I got the logging but... the problem is the guy is making up random names for the machine and it does not show me a IP address. I used wireshark and am capturing all traffic to the ops master. But I do not see any unknown IP addresses and I don't know wireshark well enough to know how to look for the packets causing the attack to determine if it *is* coming from one of my machines. Thanks again for your help. "Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message news:47dd9c88$0$7548$e4fe514c@dreader28.news.xs4all.nl... > Hey Bob, Didn't we talk before on this? I recall advising WireShark. > > However, reading the below I'm getting a better impression of what is > happening. Microsoft IS giving you the correct information to find the > person doing this, depending on how you have things running. > > Forgive me if below I'm going too 'low level', it's pretty basic stuff, > but your mail sounds like your at the end of your rope, and I just want to > make sure we've covered all the bases, including the obvious ones. > > From what your writing this sounds like a brute force password guessing > tools that is being used against your administrative accounts. To start > there's a few things your can do with group policies to at least make sure > you don't get into trouble, while making things harder for the 'hacker'. > > The following steps are just to 'temporarily protect yourself' while > investigating further, to make sure you accounts aren't getting locked > out. Again: I'm not trying to sound demeaning, just covering the > bases/basics, so I'll go through every step, even though this may be > peanuts for you. > > Chapter one: protection. > > In the Group and Policy Manager; make sure to edit the Default Domain > Policy and go to the Windows Settings\Security Settings\Account Lockout > Policy. > > Define the Account lockout duration to be not defined > Account lockout threshold: 0 invalid logon attempts > Reset account lockout counter after: not defined > > Now your accounts will no longer be locked out. Be careful, as this also > allows the hacker to run his tools now unlimitedly against the accounts. > (the lockout slowed him down considerably). I'm only proposing this as you > point our that you fear losing your administrative accounts, but put this > lockout threshold back in place a.s.a.p. if you decide to go this route in > the first place. > > > Chapter two: identifying the hacker > > This we can do by making sure Audit account logon events are being audited > correctly. To do this, we again are using Group Policy Management and > we'll define the Default Domain Controllers Policy. INthat policy, go to > Windows Settings\Security Settings\Local Policies/Audit Policy and make > sure to change 'Audit account logon events'. See to it that Success as > well as Failure (especially that one) are being logged. > > To ensure your Domain controllers have the policy applied as quickly as > possible you might consider runninf 'GPUpdate /force' from the command > prompt on your CD's. Otherwise allow some time to pass. > > Now each logon event will get logges in the eventlog, with the IP address > of the person attempting to logon. The problem is that a user can logon > using any domain controller, however; each failed logon on any DC gets > 'double checked' by that DC by sending it to the domains PDC emulator (on > of the FSMO roles as you may recall) so it makes most sense to check the > eventlogs of the PCD emulator Domain Controller. You can easily find out > who the PDC emulator is by opening Active Directory User and computers, > right-clicking your domain name, and selecting 'operations masters'. > > The event-ID you are looking for is event: 575, Source: Security, > Category: Account Logon. > > In the Description field you can see the user name of the account being > attempted, but more importantly: the IP number of the system from where > the attempt is being done. > > > I hope this helps you, sorry for wasting your time if you had already done > the above. > > regards, > > Paul > > > > > just bob wrote: >> Microsoft wizards please help me as I am desperate. Someone continues to >> lock all my admin accounts. My firewall is working properly (allowing >> only port 53) so I think the guy is using one of the 120 PC's or another >> server on my network to read my user database and identify the admin >> accounts and send a command to lock them. We've got the latest Symantec >> antivirus corporate edition installed and updated on all the machines and >> it's supposed to identify spyware, etc. Why is it so easy for this guy to >> do this? I have downloaded all the high priority updates for all >> machines, servers and PC's. We've also used the server lockdown tool. Why >> doesn't this help? Most importantly, why does Microsoft not give me more >> detailed info on which machine this guy is using? The event log just has >> a random spoof machine name. Last time he did this he spoofed the machine >> name field to say "sorry". I got lucky there was one admin account he >> missed and I was able to unlock the accounts. Next time I fear I will not >> be so lucky. >> >> If there is a better group or forum to use or consultant I can call to >> get help please advise.
Guest just bob Posted March 17, 2008 Posted March 17, 2008 Re: Hacker locking my accounts I should have said he is making up random machine names, not "spoofing" as I said. Thanks for the link - I am going to see if I can find something there to help. "Tomasz Onyszko" <t.onyszko_spam_@w2k.pl> wrote in message news:47DD9046.10605@w2k.pl... > just bob wrote: >> Microsoft wizards please help me as I am desperate. Someone continues to >> lock all my admin accounts. My firewall is working properly (allowing >> only port 53) so I think the guy is using one of the 120 PC's or another >> server on my network to read my user database and identify the admin >> accounts and send a command to lock them. We've got the latest Symantec >> antivirus corporate edition installed and updated on all the machines and >> it's supposed to identify spyware, etc. Why is it so easy for this guy to >> do this? I have downloaded all the high priority updates for all >> machines, servers and PC's. We've also used the server lockdown tool. Why >> doesn't this help? Most importantly, why does Microsoft not give me more >> detailed info on which machine this guy is using? The event log just has >> a random spoof machine name. Last time he did this he spoofed the machine >> name field to say "sorry". I got lucky there was one admin account he >> missed and I was able to unlock the accounts. Next time I fear I will not >> be so lucky. >> >> If there is a better group or forum to use or consultant I can call to >> get help please advise. > > It doesn't necessary has to be a hacker trying to breach your network - it > might be (and it is more likely ) old service or mapped network share > which is using old administrator account. > > Try to use these tools to troubleshoot the cause of your problems: > http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en > > -- > Tomasz Onyszko > http://www.w2k.pl/ - (PL) > http://blogs.dirteam.com/blogs/tomek/ - (EN)
Guest just bob Posted March 17, 2008 Posted March 17, 2008 Re: Hacker locking my accounts "Tomasz Onyszko" <t.onyszko_spam_@w2k.pl> wrote in message news:47DD9046.10605@w2k.pl... > just bob wrote: >> Microsoft wizards please help me as I am desperate. Someone continues to >> lock all my admin accounts. My firewall is working properly (allowing >> only port 53) so I think the guy is using one of the 120 PC's or another >> server on my network to read my user database and identify the admin >> accounts and send a command to lock them. We've got the latest Symantec >> antivirus corporate edition installed and updated on all the machines and >> it's supposed to identify spyware, etc. Why is it so easy for this guy to >> do this? I have downloaded all the high priority updates for all >> machines, servers and PC's. We've also used the server lockdown tool. Why >> doesn't this help? Most importantly, why does Microsoft not give me more >> detailed info on which machine this guy is using? The event log just has >> a random spoof machine name. Last time he did this he spoofed the machine >> name field to say "sorry". I got lucky there was one admin account he >> missed and I was able to unlock the accounts. Next time I fear I will not >> be so lucky. >> >> If there is a better group or forum to use or consultant I can call to >> get help please advise. > > It doesn't necessary has to be a hacker trying to breach your network - it > might be (and it is more likely ) old service or mapped network share > which is using old administrator account. > > Try to use these tools to troubleshoot the cause of your problems: > http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en > Also I said he locked all my admin accounts which did include service accounts for exchange and more. This is no accident - he knew exactly which accounts were domain admins. I got lucky he missed the original local admin account on his first pass because it turned out to be my only backdoor into my own AD console. Then minutes later he locked that account too. And yes, it is no longer called administrator.
Guest just bob Posted March 17, 2008 Posted March 17, 2008 Re: Hacker locking my accounts One more thing: Is there a way to lock account without even trying three times? Is there some way to send a packet which locks it on the first try? Because that is how it looks. I could see how someone could send a packet to disable the account but that is not what is happening. "Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message news:47dd9c88$0$7548$e4fe514c@dreader28.news.xs4all.nl... > Hey Bob, Didn't we talk before on this? I recall advising WireShark. > > However, reading the below I'm getting a better impression of what is > happening. Microsoft IS giving you the correct information to find the > person doing this, depending on how you have things running. > > Forgive me if below I'm going too 'low level', it's pretty basic stuff, > but your mail sounds like your at the end of your rope, and I just want to > make sure we've covered all the bases, including the obvious ones. > > From what your writing this sounds like a brute force password guessing > tools that is being used against your administrative accounts. To start > there's a few things your can do with group policies to at least make sure > you don't get into trouble, while making things harder for the 'hacker'. > > The following steps are just to 'temporarily protect yourself' while > investigating further, to make sure you accounts aren't getting locked > out. Again: I'm not trying to sound demeaning, just covering the > bases/basics, so I'll go through every step, even though this may be > peanuts for you. > > Chapter one: protection. > > In the Group and Policy Manager; make sure to edit the Default Domain > Policy and go to the Windows Settings\Security Settings\Account Lockout > Policy. > > Define the Account lockout duration to be not defined > Account lockout threshold: 0 invalid logon attempts > Reset account lockout counter after: not defined > > Now your accounts will no longer be locked out. Be careful, as this also > allows the hacker to run his tools now unlimitedly against the accounts. > (the lockout slowed him down considerably). I'm only proposing this as you > point our that you fear losing your administrative accounts, but put this > lockout threshold back in place a.s.a.p. if you decide to go this route in > the first place. > > > Chapter two: identifying the hacker > > This we can do by making sure Audit account logon events are being audited > correctly. To do this, we again are using Group Policy Management and > we'll define the Default Domain Controllers Policy. INthat policy, go to > Windows Settings\Security Settings\Local Policies/Audit Policy and make > sure to change 'Audit account logon events'. See to it that Success as > well as Failure (especially that one) are being logged. > > To ensure your Domain controllers have the policy applied as quickly as > possible you might consider runninf 'GPUpdate /force' from the command > prompt on your CD's. Otherwise allow some time to pass. > > Now each logon event will get logges in the eventlog, with the IP address > of the person attempting to logon. The problem is that a user can logon > using any domain controller, however; each failed logon on any DC gets > 'double checked' by that DC by sending it to the domains PDC emulator (on > of the FSMO roles as you may recall) so it makes most sense to check the > eventlogs of the PCD emulator Domain Controller. You can easily find out > who the PDC emulator is by opening Active Directory User and computers, > right-clicking your domain name, and selecting 'operations masters'. > > The event-ID you are looking for is event: 575, Source: Security, > Category: Account Logon. > > In the Description field you can see the user name of the account being > attempted, but more importantly: the IP number of the system from where > the attempt is being done. > > > I hope this helps you, sorry for wasting your time if you had already done > the above. > > regards, > > Paul > > > > > just bob wrote: >> Microsoft wizards please help me as I am desperate. Someone continues to >> lock all my admin accounts. My firewall is working properly (allowing >> only port 53) so I think the guy is using one of the 120 PC's or another >> server on my network to read my user database and identify the admin >> accounts and send a command to lock them. We've got the latest Symantec >> antivirus corporate edition installed and updated on all the machines and >> it's supposed to identify spyware, etc. Why is it so easy for this guy to >> do this? I have downloaded all the high priority updates for all >> machines, servers and PC's. We've also used the server lockdown tool. Why >> doesn't this help? Most importantly, why does Microsoft not give me more >> detailed info on which machine this guy is using? The event log just has >> a random spoof machine name. Last time he did this he spoofed the machine >> name field to say "sorry". I got lucky there was one admin account he >> missed and I was able to unlock the accounts. Next time I fear I will not >> be so lucky. >> >> If there is a better group or forum to use or consultant I can call to >> get help please advise.
Guest just bob Posted March 17, 2008 Posted March 17, 2008 Re: Hacker locking my accounts The guy just created a user account called "sorry". Strange he did not give it domain admin access. "Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message news:47dd9c88$0$7548$e4fe514c@dreader28.news.xs4all.nl... > Hey Bob, Didn't we talk before on this? I recall advising WireShark. > > However, reading the below I'm getting a better impression of what is > happening. Microsoft IS giving you the correct information to find the > person doing this, depending on how you have things running. > > Forgive me if below I'm going too 'low level', it's pretty basic stuff, > but your mail sounds like your at the end of your rope, and I just want to > make sure we've covered all the bases, including the obvious ones. > > From what your writing this sounds like a brute force password guessing > tools that is being used against your administrative accounts. To start > there's a few things your can do with group policies to at least make sure > you don't get into trouble, while making things harder for the 'hacker'. > > The following steps are just to 'temporarily protect yourself' while > investigating further, to make sure you accounts aren't getting locked > out. Again: I'm not trying to sound demeaning, just covering the > bases/basics, so I'll go through every step, even though this may be > peanuts for you. > > Chapter one: protection. > > In the Group and Policy Manager; make sure to edit the Default Domain > Policy and go to the Windows Settings\Security Settings\Account Lockout > Policy. > > Define the Account lockout duration to be not defined > Account lockout threshold: 0 invalid logon attempts > Reset account lockout counter after: not defined > > Now your accounts will no longer be locked out. Be careful, as this also > allows the hacker to run his tools now unlimitedly against the accounts. > (the lockout slowed him down considerably). I'm only proposing this as you > point our that you fear losing your administrative accounts, but put this > lockout threshold back in place a.s.a.p. if you decide to go this route in > the first place. > > > Chapter two: identifying the hacker > > This we can do by making sure Audit account logon events are being audited > correctly. To do this, we again are using Group Policy Management and > we'll define the Default Domain Controllers Policy. INthat policy, go to > Windows Settings\Security Settings\Local Policies/Audit Policy and make > sure to change 'Audit account logon events'. See to it that Success as > well as Failure (especially that one) are being logged. > > To ensure your Domain controllers have the policy applied as quickly as > possible you might consider runninf 'GPUpdate /force' from the command > prompt on your CD's. Otherwise allow some time to pass. > > Now each logon event will get logges in the eventlog, with the IP address > of the person attempting to logon. The problem is that a user can logon > using any domain controller, however; each failed logon on any DC gets > 'double checked' by that DC by sending it to the domains PDC emulator (on > of the FSMO roles as you may recall) so it makes most sense to check the > eventlogs of the PCD emulator Domain Controller. You can easily find out > who the PDC emulator is by opening Active Directory User and computers, > right-clicking your domain name, and selecting 'operations masters'. > > The event-ID you are looking for is event: 575, Source: Security, > Category: Account Logon. > > In the Description field you can see the user name of the account being > attempted, but more importantly: the IP number of the system from where > the attempt is being done. > > > I hope this helps you, sorry for wasting your time if you had already done > the above. > > regards, > > Paul > > > > > just bob wrote: >> Microsoft wizards please help me as I am desperate. Someone continues to >> lock all my admin accounts. My firewall is working properly (allowing >> only port 53) so I think the guy is using one of the 120 PC's or another >> server on my network to read my user database and identify the admin >> accounts and send a command to lock them. We've got the latest Symantec >> antivirus corporate edition installed and updated on all the machines and >> it's supposed to identify spyware, etc. Why is it so easy for this guy to >> do this? I have downloaded all the high priority updates for all >> machines, servers and PC's. We've also used the server lockdown tool. Why >> doesn't this help? Most importantly, why does Microsoft not give me more >> detailed info on which machine this guy is using? The event log just has >> a random spoof machine name. Last time he did this he spoofed the machine >> name field to say "sorry". I got lucky there was one admin account he >> missed and I was able to unlock the accounts. Next time I fear I will not >> be so lucky. >> >> If there is a better group or forum to use or consultant I can call to >> get help please advise.
Guest Larry Struckmeyer Posted March 17, 2008 Posted March 17, 2008 Re: Hacker locking my accounts Hi Bob: Just thinking about what I might do, and what the exposure is, and how frustrating it must be to encounter this. The 10 Immutable Laws tell us that if you have been repeatedly hacked, "it's not your computer any more". http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx?mfr=true Further, there are serious folks that feel strongly that it will never be "your computer" again. At least not "your hard drive". If you can't figure out what the direct cause is, it might easily be a intruder, or, perhaps worse, an intruders' program that changes these accounts at random intervals, with or without a signal from "headquarters". And, what else?? I think I would copy off user data, scrub it with several known anti virus/anti malware products, and isolate it. Put back only what your users demand, and only after opening each one on an isolated system that has current anti spyware / anti spam /anti root kit products installed and updated. And, you should consider destroying every hard drive in the organization and installing new drives and new installations of Windows. Unless, of course, you can prove that the symptoms are harmless. Call MS at: FREE VIRUS AND SECURITY INFO: (888) PC SAFETY -- Larry "just bob" <kilbyfan@aol.com> wrote in message news:47ddc3b0$0$36355$742ec2ed@news.sonic.net... > One more thing: > > Is there a way to lock account without even trying three times? Is there > some way to send a packet which locks it on the first try? Because that is > how it looks. I could see how someone could send a packet to disable the > account but that is not what is happening. > > > "Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message > news:47dd9c88$0$7548$e4fe514c@dreader28.news.xs4all.nl... >> Hey Bob, Didn't we talk before on this? I recall advising WireShark. >> >> However, reading the below I'm getting a better impression of what is >> happening. Microsoft IS giving you the correct information to find the >> person doing this, depending on how you have things running. >> >> Forgive me if below I'm going too 'low level', it's pretty basic stuff, >> but your mail sounds like your at the end of your rope, and I just want >> to make sure we've covered all the bases, including the obvious ones. >> >> From what your writing this sounds like a brute force password guessing >> tools that is being used against your administrative accounts. To start >> there's a few things your can do with group policies to at least make >> sure you don't get into trouble, while making things harder for the >> 'hacker'. >> >> The following steps are just to 'temporarily protect yourself' while >> investigating further, to make sure you accounts aren't getting locked >> out. Again: I'm not trying to sound demeaning, just covering the >> bases/basics, so I'll go through every step, even though this may be >> peanuts for you. >> >> Chapter one: protection. >> >> In the Group and Policy Manager; make sure to edit the Default Domain >> Policy and go to the Windows Settings\Security Settings\Account Lockout >> Policy. >> >> Define the Account lockout duration to be not defined >> Account lockout threshold: 0 invalid logon attempts >> Reset account lockout counter after: not defined >> >> Now your accounts will no longer be locked out. Be careful, as this also >> allows the hacker to run his tools now unlimitedly against the accounts. >> (the lockout slowed him down considerably). I'm only proposing this as >> you point our that you fear losing your administrative accounts, but put >> this lockout threshold back in place a.s.a.p. if you decide to go this >> route in the first place. >> >> >> Chapter two: identifying the hacker >> >> This we can do by making sure Audit account logon events are being >> audited correctly. To do this, we again are using Group Policy Management >> and we'll define the Default Domain Controllers Policy. INthat policy, go >> to Windows Settings\Security Settings\Local Policies/Audit Policy and >> make sure to change 'Audit account logon events'. See to it that Success >> as well as Failure (especially that one) are being logged. >> >> To ensure your Domain controllers have the policy applied as quickly as >> possible you might consider runninf 'GPUpdate /force' from the command >> prompt on your CD's. Otherwise allow some time to pass. >> >> Now each logon event will get logges in the eventlog, with the IP address >> of the person attempting to logon. The problem is that a user can logon >> using any domain controller, however; each failed logon on any DC gets >> 'double checked' by that DC by sending it to the domains PDC emulator (on >> of the FSMO roles as you may recall) so it makes most sense to check the >> eventlogs of the PCD emulator Domain Controller. You can easily find out >> who the PDC emulator is by opening Active Directory User and computers, >> right-clicking your domain name, and selecting 'operations masters'. >> >> The event-ID you are looking for is event: 575, Source: Security, >> Category: Account Logon. >> >> In the Description field you can see the user name of the account being >> attempted, but more importantly: the IP number of the system from where >> the attempt is being done. >> >> >> I hope this helps you, sorry for wasting your time if you had already >> done the above. >> >> regards, >> >> Paul >> >> >> >> >> just bob wrote: >>> Microsoft wizards please help me as I am desperate. Someone continues to >>> lock all my admin accounts. My firewall is working properly (allowing >>> only port 53) so I think the guy is using one of the 120 PC's or another >>> server on my network to read my user database and identify the admin >>> accounts and send a command to lock them. We've got the latest Symantec >>> antivirus corporate edition installed and updated on all the machines >>> and it's supposed to identify spyware, etc. Why is it so easy for this >>> guy to do this? I have downloaded all the high priority updates for all >>> machines, servers and PC's. We've also used the server lockdown tool. >>> Why doesn't this help? Most importantly, why does Microsoft not give me >>> more detailed info on which machine this guy is using? The event log >>> just has a random spoof machine name. Last time he did this he spoofed >>> the machine name field to say "sorry". I got lucky there was one admin >>> account he missed and I was able to unlock the accounts. Next time I >>> fear I will not be so lucky. >>> >>> If there is a better group or forum to use or consultant I can call to >>> get help please advise. > >
Guest Roger Abell [MVP] Posted March 17, 2008 Posted March 17, 2008 Re: Hacker locking my accounts If the person created a domain account then they likely aleady do have domain admin and really did not need to set up red flags by causing an entry named sorry in the list of domain admin accounts. "just bob" <kilbyfan@aol.com> wrote in message news:47ddc960$0$36352$742ec2ed@news.sonic.net... > The guy just created a user account called "sorry". Strange he did not > give it domain admin access. > > "Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message > news:47dd9c88$0$7548$e4fe514c@dreader28.news.xs4all.nl... >> Hey Bob, Didn't we talk before on this? I recall advising WireShark. >> >> However, reading the below I'm getting a better impression of what is >> happening. Microsoft IS giving you the correct information to find the >> person doing this, depending on how you have things running. >> >> Forgive me if below I'm going too 'low level', it's pretty basic stuff, >> but your mail sounds like your at the end of your rope, and I just want >> to make sure we've covered all the bases, including the obvious ones. >> >> From what your writing this sounds like a brute force password guessing >> tools that is being used against your administrative accounts. To start >> there's a few things your can do with group policies to at least make >> sure you don't get into trouble, while making things harder for the >> 'hacker'. >> >> The following steps are just to 'temporarily protect yourself' while >> investigating further, to make sure you accounts aren't getting locked >> out. Again: I'm not trying to sound demeaning, just covering the >> bases/basics, so I'll go through every step, even though this may be >> peanuts for you. >> >> Chapter one: protection. >> >> In the Group and Policy Manager; make sure to edit the Default Domain >> Policy and go to the Windows Settings\Security Settings\Account Lockout >> Policy. >> >> Define the Account lockout duration to be not defined >> Account lockout threshold: 0 invalid logon attempts >> Reset account lockout counter after: not defined >> >> Now your accounts will no longer be locked out. Be careful, as this also >> allows the hacker to run his tools now unlimitedly against the accounts. >> (the lockout slowed him down considerably). I'm only proposing this as >> you point our that you fear losing your administrative accounts, but put >> this lockout threshold back in place a.s.a.p. if you decide to go this >> route in the first place. >> >> >> Chapter two: identifying the hacker >> >> This we can do by making sure Audit account logon events are being >> audited correctly. To do this, we again are using Group Policy Management >> and we'll define the Default Domain Controllers Policy. INthat policy, go >> to Windows Settings\Security Settings\Local Policies/Audit Policy and >> make sure to change 'Audit account logon events'. See to it that Success >> as well as Failure (especially that one) are being logged. >> >> To ensure your Domain controllers have the policy applied as quickly as >> possible you might consider runninf 'GPUpdate /force' from the command >> prompt on your CD's. Otherwise allow some time to pass. >> >> Now each logon event will get logges in the eventlog, with the IP address >> of the person attempting to logon. The problem is that a user can logon >> using any domain controller, however; each failed logon on any DC gets >> 'double checked' by that DC by sending it to the domains PDC emulator (on >> of the FSMO roles as you may recall) so it makes most sense to check the >> eventlogs of the PCD emulator Domain Controller. You can easily find out >> who the PDC emulator is by opening Active Directory User and computers, >> right-clicking your domain name, and selecting 'operations masters'. >> >> The event-ID you are looking for is event: 575, Source: Security, >> Category: Account Logon. >> >> In the Description field you can see the user name of the account being >> attempted, but more importantly: the IP number of the system from where >> the attempt is being done. >> >> >> I hope this helps you, sorry for wasting your time if you had already >> done the above. >> >> regards, >> >> Paul >> >> >> >> >> just bob wrote: >>> Microsoft wizards please help me as I am desperate. Someone continues to >>> lock all my admin accounts. My firewall is working properly (allowing >>> only port 53) so I think the guy is using one of the 120 PC's or another >>> server on my network to read my user database and identify the admin >>> accounts and send a command to lock them. We've got the latest Symantec >>> antivirus corporate edition installed and updated on all the machines >>> and it's supposed to identify spyware, etc. Why is it so easy for this >>> guy to do this? I have downloaded all the high priority updates for all >>> machines, servers and PC's. We've also used the server lockdown tool. >>> Why doesn't this help? Most importantly, why does Microsoft not give me >>> more detailed info on which machine this guy is using? The event log >>> just has a random spoof machine name. Last time he did this he spoofed >>> the machine name field to say "sorry". I got lucky there was one admin >>> account he missed and I was able to unlock the accounts. Next time I >>> fear I will not be so lucky. >>> >>> If there is a better group or forum to use or consultant I can call to >>> get help please advise. > >
Guest Roger Abell [MVP] Posted March 17, 2008 Posted March 17, 2008 Re: Hacker locking my accounts You have not state what the Windows version is. It sounds like it must be an older one if there is no IP in the login failure event messages. "just bob" <kilbyfan@aol.com> wrote in message news:47ddbfa6$0$36366$742ec2ed@news.sonic.net... > Hi Paul, Thanks, no not a waste of time at all. I might turn the locking > off as you describe. Also I'm pretty sure I have my logging setup OK as I > am using a program to copy the logs from the OM to another machine and > also it sends me an email when it sees a string which indicates an account > is locked which is forwarded to my Blackberry. So I got the logging but... > the problem is the guy is making up random names for the machine and it > does not show me a IP address. > > I used wireshark and am capturing all traffic to the ops master. But I do > not see any unknown IP addresses and I don't know wireshark well enough to > know how to look for the packets causing the attack to determine if it > *is* coming from one of my machines. > > Thanks again for your help. > > > "Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message > news:47dd9c88$0$7548$e4fe514c@dreader28.news.xs4all.nl... >> Hey Bob, Didn't we talk before on this? I recall advising WireShark. >> >> However, reading the below I'm getting a better impression of what is >> happening. Microsoft IS giving you the correct information to find the >> person doing this, depending on how you have things running. >> >> Forgive me if below I'm going too 'low level', it's pretty basic stuff, >> but your mail sounds like your at the end of your rope, and I just want >> to make sure we've covered all the bases, including the obvious ones. >> >> From what your writing this sounds like a brute force password guessing >> tools that is being used against your administrative accounts. To start >> there's a few things your can do with group policies to at least make >> sure you don't get into trouble, while making things harder for the >> 'hacker'. >> >> The following steps are just to 'temporarily protect yourself' while >> investigating further, to make sure you accounts aren't getting locked >> out. Again: I'm not trying to sound demeaning, just covering the >> bases/basics, so I'll go through every step, even though this may be >> peanuts for you. >> >> Chapter one: protection. >> >> In the Group and Policy Manager; make sure to edit the Default Domain >> Policy and go to the Windows Settings\Security Settings\Account Lockout >> Policy. >> >> Define the Account lockout duration to be not defined >> Account lockout threshold: 0 invalid logon attempts >> Reset account lockout counter after: not defined >> >> Now your accounts will no longer be locked out. Be careful, as this also >> allows the hacker to run his tools now unlimitedly against the accounts. >> (the lockout slowed him down considerably). I'm only proposing this as >> you point our that you fear losing your administrative accounts, but put >> this lockout threshold back in place a.s.a.p. if you decide to go this >> route in the first place. >> >> >> Chapter two: identifying the hacker >> >> This we can do by making sure Audit account logon events are being >> audited correctly. To do this, we again are using Group Policy Management >> and we'll define the Default Domain Controllers Policy. INthat policy, go >> to Windows Settings\Security Settings\Local Policies/Audit Policy and >> make sure to change 'Audit account logon events'. See to it that Success >> as well as Failure (especially that one) are being logged. >> >> To ensure your Domain controllers have the policy applied as quickly as >> possible you might consider runninf 'GPUpdate /force' from the command >> prompt on your CD's. Otherwise allow some time to pass. >> >> Now each logon event will get logges in the eventlog, with the IP address >> of the person attempting to logon. The problem is that a user can logon >> using any domain controller, however; each failed logon on any DC gets >> 'double checked' by that DC by sending it to the domains PDC emulator (on >> of the FSMO roles as you may recall) so it makes most sense to check the >> eventlogs of the PCD emulator Domain Controller. You can easily find out >> who the PDC emulator is by opening Active Directory User and computers, >> right-clicking your domain name, and selecting 'operations masters'. >> >> The event-ID you are looking for is event: 575, Source: Security, >> Category: Account Logon. >> >> In the Description field you can see the user name of the account being >> attempted, but more importantly: the IP number of the system from where >> the attempt is being done. >> >> >> I hope this helps you, sorry for wasting your time if you had already >> done the above. >> >> regards, >> >> Paul >> >> >> >> >> just bob wrote: >>> Microsoft wizards please help me as I am desperate. Someone continues to >>> lock all my admin accounts. My firewall is working properly (allowing >>> only port 53) so I think the guy is using one of the 120 PC's or another >>> server on my network to read my user database and identify the admin >>> accounts and send a command to lock them. We've got the latest Symantec >>> antivirus corporate edition installed and updated on all the machines >>> and it's supposed to identify spyware, etc. Why is it so easy for this >>> guy to do this? I have downloaded all the high priority updates for all >>> machines, servers and PC's. We've also used the server lockdown tool. >>> Why doesn't this help? Most importantly, why does Microsoft not give me >>> more detailed info on which machine this guy is using? The event log >>> just has a random spoof machine name. Last time he did this he spoofed >>> the machine name field to say "sorry". I got lucky there was one admin >>> account he missed and I was able to unlock the accounts. Next time I >>> fear I will not be so lucky. >>> >>> If there is a better group or forum to use or consultant I can call to >>> get help please advise. > >
Guest Tomasz Onyszko Posted March 17, 2008 Posted March 17, 2008 Re: Hacker locking my accounts just bob wrote: > ???? The guy spoofs the machine name different every time. Last time he > called it "sorry" OK - sorry :) I've missed this aprt of Your post -- Tomasz Onyszko http://www.w2k.pl/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN)
Guest Paul Weterings Posted March 17, 2008 Posted March 17, 2008 Re: Hacker locking my accounts The auditing settings I described logs -an IP address- in the event log of your PDC DC comptroller, which I think is what you are looking for. Are you really sure you've got your auditing set up correctly using group policy? Once you have the IP address, we're ready for the next step... getting even ;-) b.t.w. There is no 'lock' packet, the only way to lock an account is to attempt to login with the wrong credentials a number of times. with regards to WireShark; you could filter out Kerberos and/or NTLM, as these take care of authentication. The rest can be left out. cheers, Paul just bob wrote: > Hi Paul, Thanks, no not a waste of time at all. I might turn the locking off > as you describe. Also I'm pretty sure I have my logging setup OK as I am > using a program to copy the logs from the OM to another machine and also it > sends me an email when it sees a string which indicates an account is locked > which is forwarded to my Blackberry. So I got the logging but... the problem > is the guy is making up random names for the machine and it does not show me > a IP address. > > I used wireshark and am capturing all traffic to the ops master. But I do > not see any unknown IP addresses and I don't know wireshark well enough to > know how to look for the packets causing the attack to determine if it *is* > coming from one of my machines. > > Thanks again for your help. > > > "Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message > news:47dd9c88$0$7548$e4fe514c@dreader28.news.xs4all.nl... >> Hey Bob, Didn't we talk before on this? I recall advising WireShark. >> >> However, reading the below I'm getting a better impression of what is >> happening. Microsoft IS giving you the correct information to find the >> person doing this, depending on how you have things running. >> >> Forgive me if below I'm going too 'low level', it's pretty basic stuff, >> but your mail sounds like your at the end of your rope, and I just want to >> make sure we've covered all the bases, including the obvious ones. >> >> From what your writing this sounds like a brute force password guessing >> tools that is being used against your administrative accounts. To start >> there's a few things your can do with group policies to at least make sure >> you don't get into trouble, while making things harder for the 'hacker'. >> >> The following steps are just to 'temporarily protect yourself' while >> investigating further, to make sure you accounts aren't getting locked >> out. Again: I'm not trying to sound demeaning, just covering the >> bases/basics, so I'll go through every step, even though this may be >> peanuts for you. >> >> Chapter one: protection. >> >> In the Group and Policy Manager; make sure to edit the Default Domain >> Policy and go to the Windows Settings\Security Settings\Account Lockout >> Policy. >> >> Define the Account lockout duration to be not defined >> Account lockout threshold: 0 invalid logon attempts >> Reset account lockout counter after: not defined >> >> Now your accounts will no longer be locked out. Be careful, as this also >> allows the hacker to run his tools now unlimitedly against the accounts. >> (the lockout slowed him down considerably). I'm only proposing this as you >> point our that you fear losing your administrative accounts, but put this >> lockout threshold back in place a.s.a.p. if you decide to go this route in >> the first place. >> >> >> Chapter two: identifying the hacker >> >> This we can do by making sure Audit account logon events are being audited >> correctly. To do this, we again are using Group Policy Management and >> we'll define the Default Domain Controllers Policy. INthat policy, go to >> Windows Settings\Security Settings\Local Policies/Audit Policy and make >> sure to change 'Audit account logon events'. See to it that Success as >> well as Failure (especially that one) are being logged. >> >> To ensure your Domain controllers have the policy applied as quickly as >> possible you might consider runninf 'GPUpdate /force' from the command >> prompt on your CD's. Otherwise allow some time to pass. >> >> Now each logon event will get logges in the eventlog, with the IP address >> of the person attempting to logon. The problem is that a user can logon >> using any domain controller, however; each failed logon on any DC gets >> 'double checked' by that DC by sending it to the domains PDC emulator (on >> of the FSMO roles as you may recall) so it makes most sense to check the >> eventlogs of the PCD emulator Domain Controller. You can easily find out >> who the PDC emulator is by opening Active Directory User and computers, >> right-clicking your domain name, and selecting 'operations masters'. >> >> The event-ID you are looking for is event: 575, Source: Security, >> Category: Account Logon. >> >> In the Description field you can see the user name of the account being >> attempted, but more importantly: the IP number of the system from where >> the attempt is being done. >> >> >> I hope this helps you, sorry for wasting your time if you had already done >> the above. >> >> regards, >> >> Paul >> >> >> >> >> just bob wrote: >>> Microsoft wizards please help me as I am desperate. Someone continues to >>> lock all my admin accounts. My firewall is working properly (allowing >>> only port 53) so I think the guy is using one of the 120 PC's or another >>> server on my network to read my user database and identify the admin >>> accounts and send a command to lock them. We've got the latest Symantec >>> antivirus corporate edition installed and updated on all the machines and >>> it's supposed to identify spyware, etc. Why is it so easy for this guy to >>> do this? I have downloaded all the high priority updates for all >>> machines, servers and PC's. We've also used the server lockdown tool. Why >>> doesn't this help? Most importantly, why does Microsoft not give me more >>> detailed info on which machine this guy is using? The event log just has >>> a random spoof machine name. Last time he did this he spoofed the machine >>> name field to say "sorry". I got lucky there was one admin account he >>> missed and I was able to unlock the accounts. Next time I fear I will not >>> be so lucky. >>> >>> If there is a better group or forum to use or consultant I can call to >>> get help please advise. > >
Guest just bob Posted March 17, 2008 Posted March 17, 2008 Re: Hacker locking my accounts Aha, I get it. I will change our settings for more details. And I gotta get better at understanding the wireshark data! Thanks again "Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message news:47de728e$0$31449$e4fe514c@dreader15.news.xs4all.nl... > The auditing settings I described logs -an IP address- in the event log of > your PDC DC comptroller, which I think is what you are looking for. Are > you really sure you've got your auditing set up correctly using group > policy? > > Once you have the IP address, we're ready for the next step... getting > even ;-) > > b.t.w. There is no 'lock' packet, the only way to lock an account is to > attempt to login with the wrong credentials a number of times. > > with regards to WireShark; you could filter out Kerberos and/or NTLM, as > these take care of authentication. The rest can be left out. > > cheers, > > Paul > > just bob wrote: >> Hi Paul, Thanks, no not a waste of time at all. I might turn the locking >> off as you describe. Also I'm pretty sure I have my logging setup OK as I >> am using a program to copy the logs from the OM to another machine and >> also it sends me an email when it sees a string which indicates an >> account is locked which is forwarded to my Blackberry. So I got the >> logging but... the problem is the guy is making up random names for the >> machine and it does not show me a IP address. >> >> I used wireshark and am capturing all traffic to the ops master. But I do >> not see any unknown IP addresses and I don't know wireshark well enough >> to know how to look for the packets causing the attack to determine if it >> *is* coming from one of my machines. >> >> Thanks again for your help. >> >> >> "Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message >> news:47dd9c88$0$7548$e4fe514c@dreader28.news.xs4all.nl... >>> Hey Bob, Didn't we talk before on this? I recall advising WireShark. >>> >>> However, reading the below I'm getting a better impression of what is >>> happening. Microsoft IS giving you the correct information to find the >>> person doing this, depending on how you have things running. >>> >>> Forgive me if below I'm going too 'low level', it's pretty basic stuff, >>> but your mail sounds like your at the end of your rope, and I just want >>> to make sure we've covered all the bases, including the obvious ones. >>> >>> From what your writing this sounds like a brute force password guessing >>> tools that is being used against your administrative accounts. To start >>> there's a few things your can do with group policies to at least make >>> sure you don't get into trouble, while making things harder for the >>> 'hacker'. >>> >>> The following steps are just to 'temporarily protect yourself' while >>> investigating further, to make sure you accounts aren't getting locked >>> out. Again: I'm not trying to sound demeaning, just covering the >>> bases/basics, so I'll go through every step, even though this may be >>> peanuts for you. >>> >>> Chapter one: protection. >>> >>> In the Group and Policy Manager; make sure to edit the Default Domain >>> Policy and go to the Windows Settings\Security Settings\Account Lockout >>> Policy. >>> >>> Define the Account lockout duration to be not defined >>> Account lockout threshold: 0 invalid logon attempts >>> Reset account lockout counter after: not defined >>> >>> Now your accounts will no longer be locked out. Be careful, as this also >>> allows the hacker to run his tools now unlimitedly against the accounts. >>> (the lockout slowed him down considerably). I'm only proposing this as >>> you point our that you fear losing your administrative accounts, but put >>> this lockout threshold back in place a.s.a.p. if you decide to go this >>> route in the first place. >>> >>> >>> Chapter two: identifying the hacker >>> >>> This we can do by making sure Audit account logon events are being >>> audited correctly. To do this, we again are using Group Policy >>> Management and we'll define the Default Domain Controllers Policy. >>> INthat policy, go to Windows Settings\Security Settings\Local >>> Policies/Audit Policy and make sure to change 'Audit account logon >>> events'. See to it that Success as well as Failure (especially that one) >>> are being logged. >>> >>> To ensure your Domain controllers have the policy applied as quickly as >>> possible you might consider runninf 'GPUpdate /force' from the command >>> prompt on your CD's. Otherwise allow some time to pass. >>> >>> Now each logon event will get logges in the eventlog, with the IP >>> address of the person attempting to logon. The problem is that a user >>> can logon using any domain controller, however; each failed logon on any >>> DC gets 'double checked' by that DC by sending it to the domains PDC >>> emulator (on of the FSMO roles as you may recall) so it makes most sense >>> to check the eventlogs of the PCD emulator Domain Controller. You can >>> easily find out who the PDC emulator is by opening Active Directory User >>> and computers, right-clicking your domain name, and selecting >>> 'operations masters'. >>> >>> The event-ID you are looking for is event: 575, Source: Security, >>> Category: Account Logon. >>> >>> In the Description field you can see the user name of the account being >>> attempted, but more importantly: the IP number of the system from where >>> the attempt is being done. >>> >>> >>> I hope this helps you, sorry for wasting your time if you had already >>> done the above. >>> >>> regards, >>> >>> Paul >>> >>> >>> >>> >>> just bob wrote: >>>> Microsoft wizards please help me as I am desperate. Someone continues >>>> to lock all my admin accounts. My firewall is working properly >>>> (allowing only port 53) so I think the guy is using one of the 120 PC's >>>> or another server on my network to read my user database and identify >>>> the admin accounts and send a command to lock them. We've got the >>>> latest Symantec antivirus corporate edition installed and updated on >>>> all the machines and it's supposed to identify spyware, etc. Why is it >>>> so easy for this guy to do this? I have downloaded all the high >>>> priority updates for all machines, servers and PC's. We've also used >>>> the server lockdown tool. Why doesn't this help? Most importantly, why >>>> does Microsoft not give me more detailed info on which machine this guy >>>> is using? The event log just has a random spoof machine name. Last time >>>> he did this he spoofed the machine name field to say "sorry". I got >>>> lucky there was one admin account he missed and I was able to unlock >>>> the accounts. Next time I fear I will not be so lucky. >>>> >>>> If there is a better group or forum to use or consultant I can call to >>>> get help please advise. >>
Guest Paul Weterings Posted March 21, 2008 Posted March 21, 2008 Re: Hacker locking my accounts To create machine account you do not need to be admin... Bob has (in another thread) mailed that he's found the offender though... Roger Abell [MVP] wrote: > If the person created a domain account then they likely > aleady do have domain admin and really did not need > to set up red flags by causing an entry named sorry in > the list of domain admin accounts. > > > "just bob" <kilbyfan@aol.com> wrote in message > news:47ddc960$0$36352$742ec2ed@news.sonic.net... >> The guy just created a user account called "sorry". Strange he did not >> give it domain admin access. >> >> "Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message >> news:47dd9c88$0$7548$e4fe514c@dreader28.news.xs4all.nl... >>> Hey Bob, Didn't we talk before on this? I recall advising WireShark. >>> >>> However, reading the below I'm getting a better impression of what is >>> happening. Microsoft IS giving you the correct information to find the >>> person doing this, depending on how you have things running. >>> >>> Forgive me if below I'm going too 'low level', it's pretty basic stuff, >>> but your mail sounds like your at the end of your rope, and I just want >>> to make sure we've covered all the bases, including the obvious ones. >>> >>> From what your writing this sounds like a brute force password guessing >>> tools that is being used against your administrative accounts. To start >>> there's a few things your can do with group policies to at least make >>> sure you don't get into trouble, while making things harder for the >>> 'hacker'. >>> >>> The following steps are just to 'temporarily protect yourself' while >>> investigating further, to make sure you accounts aren't getting locked >>> out. Again: I'm not trying to sound demeaning, just covering the >>> bases/basics, so I'll go through every step, even though this may be >>> peanuts for you. >>> >>> Chapter one: protection. >>> >>> In the Group and Policy Manager; make sure to edit the Default Domain >>> Policy and go to the Windows Settings\Security Settings\Account Lockout >>> Policy. >>> >>> Define the Account lockout duration to be not defined >>> Account lockout threshold: 0 invalid logon attempts >>> Reset account lockout counter after: not defined >>> >>> Now your accounts will no longer be locked out. Be careful, as this also >>> allows the hacker to run his tools now unlimitedly against the accounts. >>> (the lockout slowed him down considerably). I'm only proposing this as >>> you point our that you fear losing your administrative accounts, but put >>> this lockout threshold back in place a.s.a.p. if you decide to go this >>> route in the first place. >>> >>> >>> Chapter two: identifying the hacker >>> >>> This we can do by making sure Audit account logon events are being >>> audited correctly. To do this, we again are using Group Policy Management >>> and we'll define the Default Domain Controllers Policy. INthat policy, go >>> to Windows Settings\Security Settings\Local Policies/Audit Policy and >>> make sure to change 'Audit account logon events'. See to it that Success >>> as well as Failure (especially that one) are being logged. >>> >>> To ensure your Domain controllers have the policy applied as quickly as >>> possible you might consider runninf 'GPUpdate /force' from the command >>> prompt on your CD's. Otherwise allow some time to pass. >>> >>> Now each logon event will get logges in the eventlog, with the IP address >>> of the person attempting to logon. The problem is that a user can logon >>> using any domain controller, however; each failed logon on any DC gets >>> 'double checked' by that DC by sending it to the domains PDC emulator (on >>> of the FSMO roles as you may recall) so it makes most sense to check the >>> eventlogs of the PCD emulator Domain Controller. You can easily find out >>> who the PDC emulator is by opening Active Directory User and computers, >>> right-clicking your domain name, and selecting 'operations masters'. >>> >>> The event-ID you are looking for is event: 575, Source: Security, >>> Category: Account Logon. >>> >>> In the Description field you can see the user name of the account being >>> attempted, but more importantly: the IP number of the system from where >>> the attempt is being done. >>> >>> >>> I hope this helps you, sorry for wasting your time if you had already >>> done the above. >>> >>> regards, >>> >>> Paul >>> >>> >>> >>> >>> just bob wrote: >>>> Microsoft wizards please help me as I am desperate. Someone continues to >>>> lock all my admin accounts. My firewall is working properly (allowing >>>> only port 53) so I think the guy is using one of the 120 PC's or another >>>> server on my network to read my user database and identify the admin >>>> accounts and send a command to lock them. We've got the latest Symantec >>>> antivirus corporate edition installed and updated on all the machines >>>> and it's supposed to identify spyware, etc. Why is it so easy for this >>>> guy to do this? I have downloaded all the high priority updates for all >>>> machines, servers and PC's. We've also used the server lockdown tool. >>>> Why doesn't this help? Most importantly, why does Microsoft not give me >>>> more detailed info on which machine this guy is using? The event log >>>> just has a random spoof machine name. Last time he did this he spoofed >>>> the machine name field to say "sorry". I got lucky there was one admin >>>> account he missed and I was able to unlock the accounts. Next time I >>>> fear I will not be so lucky. >>>> >>>> If there is a better group or forum to use or consultant I can call to >>>> get help please advise. >> > >
Guest Al Dunbar Posted March 28, 2008 Posted March 28, 2008 Re: Hacker locking my accounts "Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message news:47de728e$0$31449$e4fe514c@dreader15.news.xs4all.nl... > The auditing settings I described logs -an IP address- in the event log of > your PDC DC comptroller, which I think is what you are looking for. Are > you really sure you've got your auditing set up correctly using group > policy? > > Once you have the IP address, we're ready for the next step... getting > even ;-) > > b.t.w. There is no 'lock' packet, the only way to lock an account is to > attempt to login with the wrong credentials a number of times. IMHO, you need not actually attempt to login, you only need to use the credentials with an incorrect password, which can be done in the context of a runas command, or using credentials to map a share. This is admitedly a trivial factoid, however, someone not realizing this might come to some invalid conclusions. /Al > with regards to WireShark; you could filter out Kerberos and/or NTLM, as > these take care of authentication. The rest can be left out. > > cheers, > > Paul > > just bob wrote: >> Hi Paul, Thanks, no not a waste of time at all. I might turn the locking >> off as you describe. Also I'm pretty sure I have my logging setup OK as I >> am using a program to copy the logs from the OM to another machine and >> also it sends me an email when it sees a string which indicates an >> account is locked which is forwarded to my Blackberry. So I got the >> logging but... the problem is the guy is making up random names for the >> machine and it does not show me a IP address. >> >> I used wireshark and am capturing all traffic to the ops master. But I do >> not see any unknown IP addresses and I don't know wireshark well enough >> to know how to look for the packets causing the attack to determine if it >> *is* coming from one of my machines. >> >> Thanks again for your help. >> >> >> "Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message >> news:47dd9c88$0$7548$e4fe514c@dreader28.news.xs4all.nl... >>> Hey Bob, Didn't we talk before on this? I recall advising WireShark. >>> >>> However, reading the below I'm getting a better impression of what is >>> happening. Microsoft IS giving you the correct information to find the >>> person doing this, depending on how you have things running. >>> >>> Forgive me if below I'm going too 'low level', it's pretty basic stuff, >>> but your mail sounds like your at the end of your rope, and I just want >>> to make sure we've covered all the bases, including the obvious ones. >>> >>> From what your writing this sounds like a brute force password guessing >>> tools that is being used against your administrative accounts. To start >>> there's a few things your can do with group policies to at least make >>> sure you don't get into trouble, while making things harder for the >>> 'hacker'. >>> >>> The following steps are just to 'temporarily protect yourself' while >>> investigating further, to make sure you accounts aren't getting locked >>> out. Again: I'm not trying to sound demeaning, just covering the >>> bases/basics, so I'll go through every step, even though this may be >>> peanuts for you. >>> >>> Chapter one: protection. >>> >>> In the Group and Policy Manager; make sure to edit the Default Domain >>> Policy and go to the Windows Settings\Security Settings\Account Lockout >>> Policy. >>> >>> Define the Account lockout duration to be not defined >>> Account lockout threshold: 0 invalid logon attempts >>> Reset account lockout counter after: not defined >>> >>> Now your accounts will no longer be locked out. Be careful, as this also >>> allows the hacker to run his tools now unlimitedly against the accounts. >>> (the lockout slowed him down considerably). I'm only proposing this as >>> you point our that you fear losing your administrative accounts, but put >>> this lockout threshold back in place a.s.a.p. if you decide to go this >>> route in the first place. >>> >>> >>> Chapter two: identifying the hacker >>> >>> This we can do by making sure Audit account logon events are being >>> audited correctly. To do this, we again are using Group Policy >>> Management and we'll define the Default Domain Controllers Policy. >>> INthat policy, go to Windows Settings\Security Settings\Local >>> Policies/Audit Policy and make sure to change 'Audit account logon >>> events'. See to it that Success as well as Failure (especially that one) >>> are being logged. >>> >>> To ensure your Domain controllers have the policy applied as quickly as >>> possible you might consider runninf 'GPUpdate /force' from the command >>> prompt on your CD's. Otherwise allow some time to pass. >>> >>> Now each logon event will get logges in the eventlog, with the IP >>> address of the person attempting to logon. The problem is that a user >>> can logon using any domain controller, however; each failed logon on any >>> DC gets 'double checked' by that DC by sending it to the domains PDC >>> emulator (on of the FSMO roles as you may recall) so it makes most sense >>> to check the eventlogs of the PCD emulator Domain Controller. You can >>> easily find out who the PDC emulator is by opening Active Directory User >>> and computers, right-clicking your domain name, and selecting >>> 'operations masters'. >>> >>> The event-ID you are looking for is event: 575, Source: Security, >>> Category: Account Logon. >>> >>> In the Description field you can see the user name of the account being >>> attempted, but more importantly: the IP number of the system from where >>> the attempt is being done. >>> >>> >>> I hope this helps you, sorry for wasting your time if you had already >>> done the above. >>> >>> regards, >>> >>> Paul >>> >>> >>> >>> >>> just bob wrote: >>>> Microsoft wizards please help me as I am desperate. Someone continues >>>> to lock all my admin accounts. My firewall is working properly >>>> (allowing only port 53) so I think the guy is using one of the 120 PC's >>>> or another server on my network to read my user database and identify >>>> the admin accounts and send a command to lock them. We've got the >>>> latest Symantec antivirus corporate edition installed and updated on >>>> all the machines and it's supposed to identify spyware, etc. Why is it >>>> so easy for this guy to do this? I have downloaded all the high >>>> priority updates for all machines, servers and PC's. We've also used >>>> the server lockdown tool. Why doesn't this help? Most importantly, why >>>> does Microsoft not give me more detailed info on which machine this guy >>>> is using? The event log just has a random spoof machine name. Last time >>>> he did this he spoofed the machine name field to say "sorry". I got >>>> lucky there was one admin account he missed and I was able to unlock >>>> the accounts. Next time I fear I will not be so lucky. >>>> >>>> If there is a better group or forum to use or consultant I can call to >>>> get help please advise. >>
Guest Remco Posted March 30, 2008 Posted March 30, 2008 Re: Hacker locking my accounts I had 2 computers once also that locked out the user a couple of times a day and network shares were the problem. check the event log to see if it is the IP address of this computer which locks out the account. if so, it is coming from that pc and shares and nethood settings can be a propable source. With 1 pc I couldnt track down the actual process so I reinstalled the pc and the problem was gone also. "Al Dunbar" <AlanDrub@hotmail.com.nospaam> schreef in bericht news:e4eDVSPkIHA.1052@TK2MSFTNGP05.phx.gbl... > > "Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message > news:47de728e$0$31449$e4fe514c@dreader15.news.xs4all.nl... >> The auditing settings I described logs -an IP address- in the event log >> of your PDC DC comptroller, which I think is what you are looking for. >> Are you really sure you've got your auditing set up correctly using group >> policy? >> >> Once you have the IP address, we're ready for the next step... getting >> even ;-) >> >> b.t.w. There is no 'lock' packet, the only way to lock an account is to >> attempt to login with the wrong credentials a number of times. > > IMHO, you need not actually attempt to login, you only need to use the > credentials with an incorrect password, which can be done in the context > of a runas command, or using credentials to map a share. This is admitedly > a trivial factoid, however, someone not realizing this might come to some > invalid conclusions. > > /Al > >> with regards to WireShark; you could filter out Kerberos and/or NTLM, as >> these take care of authentication. The rest can be left out. >> >> cheers, >> >> Paul >> >> just bob wrote: >>> Hi Paul, Thanks, no not a waste of time at all. I might turn the locking >>> off as you describe. Also I'm pretty sure I have my logging setup OK as >>> I am using a program to copy the logs from the OM to another machine and >>> also it sends me an email when it sees a string which indicates an >>> account is locked which is forwarded to my Blackberry. So I got the >>> logging but... the problem is the guy is making up random names for the >>> machine and it does not show me a IP address. >>> >>> I used wireshark and am capturing all traffic to the ops master. But I >>> do not see any unknown IP addresses and I don't know wireshark well >>> enough to know how to look for the packets causing the attack to >>> determine if it *is* coming from one of my machines. >>> >>> Thanks again for your help. >>> >>> >>> "Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message >>> news:47dd9c88$0$7548$e4fe514c@dreader28.news.xs4all.nl... >>>> Hey Bob, Didn't we talk before on this? I recall advising WireShark. >>>> >>>> However, reading the below I'm getting a better impression of what is >>>> happening. Microsoft IS giving you the correct information to find the >>>> person doing this, depending on how you have things running. >>>> >>>> Forgive me if below I'm going too 'low level', it's pretty basic stuff, >>>> but your mail sounds like your at the end of your rope, and I just want >>>> to make sure we've covered all the bases, including the obvious ones. >>>> >>>> From what your writing this sounds like a brute force password guessing >>>> tools that is being used against your administrative accounts. To start >>>> there's a few things your can do with group policies to at least make >>>> sure you don't get into trouble, while making things harder for the >>>> 'hacker'. >>>> >>>> The following steps are just to 'temporarily protect yourself' while >>>> investigating further, to make sure you accounts aren't getting locked >>>> out. Again: I'm not trying to sound demeaning, just covering the >>>> bases/basics, so I'll go through every step, even though this may be >>>> peanuts for you. >>>> >>>> Chapter one: protection. >>>> >>>> In the Group and Policy Manager; make sure to edit the Default Domain >>>> Policy and go to the Windows Settings\Security Settings\Account Lockout >>>> Policy. >>>> >>>> Define the Account lockout duration to be not defined >>>> Account lockout threshold: 0 invalid logon attempts >>>> Reset account lockout counter after: not defined >>>> >>>> Now your accounts will no longer be locked out. Be careful, as this >>>> also allows the hacker to run his tools now unlimitedly against the >>>> accounts. (the lockout slowed him down considerably). I'm only >>>> proposing this as you point our that you fear losing your >>>> administrative accounts, but put this lockout threshold back in place >>>> a.s.a.p. if you decide to go this route in the first place. >>>> >>>> >>>> Chapter two: identifying the hacker >>>> >>>> This we can do by making sure Audit account logon events are being >>>> audited correctly. To do this, we again are using Group Policy >>>> Management and we'll define the Default Domain Controllers Policy. >>>> INthat policy, go to Windows Settings\Security Settings\Local >>>> Policies/Audit Policy and make sure to change 'Audit account logon >>>> events'. See to it that Success as well as Failure (especially that >>>> one) are being logged. >>>> >>>> To ensure your Domain controllers have the policy applied as quickly as >>>> possible you might consider runninf 'GPUpdate /force' from the command >>>> prompt on your CD's. Otherwise allow some time to pass. >>>> >>>> Now each logon event will get logges in the eventlog, with the IP >>>> address of the person attempting to logon. The problem is that a user >>>> can logon using any domain controller, however; each failed logon on >>>> any DC gets 'double checked' by that DC by sending it to the domains >>>> PDC emulator (on of the FSMO roles as you may recall) so it makes most >>>> sense to check the eventlogs of the PCD emulator Domain Controller. You >>>> can easily find out who the PDC emulator is by opening Active Directory >>>> User and computers, right-clicking your domain name, and selecting >>>> 'operations masters'. >>>> >>>> The event-ID you are looking for is event: 575, Source: Security, >>>> Category: Account Logon. >>>> >>>> In the Description field you can see the user name of the account being >>>> attempted, but more importantly: the IP number of the system from where >>>> the attempt is being done. >>>> >>>> >>>> I hope this helps you, sorry for wasting your time if you had already >>>> done the above. >>>> >>>> regards, >>>> >>>> Paul >>>> >>>> >>>> >>>> >>>> just bob wrote: >>>>> Microsoft wizards please help me as I am desperate. Someone continues >>>>> to lock all my admin accounts. My firewall is working properly >>>>> (allowing only port 53) so I think the guy is using one of the 120 >>>>> PC's or another server on my network to read my user database and >>>>> identify the admin accounts and send a command to lock them. We've got >>>>> the latest Symantec antivirus corporate edition installed and updated >>>>> on all the machines and it's supposed to identify spyware, etc. Why is >>>>> it so easy for this guy to do this? I have downloaded all the high >>>>> priority updates for all machines, servers and PC's. We've also used >>>>> the server lockdown tool. Why doesn't this help? Most importantly, why >>>>> does Microsoft not give me more detailed info on which machine this >>>>> guy is using? The event log just has a random spoof machine name. Last >>>>> time he did this he spoofed the machine name field to say "sorry". I >>>>> got lucky there was one admin account he missed and I was able to >>>>> unlock the accounts. Next time I fear I will not be so lucky. >>>>> >>>>> If there is a better group or forum to use or consultant I can call to >>>>> get help please advise. >>> >
Recommended Posts