Need help with lockout attack.
Hugh Caldwell
My network appears to be being attacked by someone who is locking out
all the users accounts. A typical entry into the security event log
reads:
User Account Locked Out:
Target Account Name: jdoe
Target Account ID: J-1-8-21-1333716358-1641543534-689521291-1248
Caller Machine Name: \\FAMILLE
Caller User Name: SYSTEM
Caller Domain: NT AUTHORITY
Caller Logon ID: (0x0,0x3E7)
The lockouts occured in alphabetical order and each at about 20 second
intervals. I've since changed all of the passwords on the network and
the problem hasn't occured again. I was hoping I could get some
informatin as to how this might have happened and any ideas as to how
to prevent it in the future. I'm new to network administering (former
programmer) so any resources you could point me too would be greatly
appreciated.
Thanks,
Hugh Caldwell
- AJS
Hi Hugh,
Here's the deal. Someone has/had access to your local network. The machine used
was named "\\FAMILLE" (we'll get back to that in a minute).
User names are automatically enumerated to any machie on your network, by
anonymous request, by default. Getting the user list is usually trivial. With
that list of names in hand, someone tried to brute force a password to log into
your domain. They used some downloaded app that probably ran a simple
dictionary attack on all your accounts in turn. If you didn't have lockout
enabled following x failed attempts, they would own you right now.
Here's the thing... they still might.
1st, does that machine exist on your domain? Check your browser list, and see
if you can ping it by name. Did WINS pic it up? Is there a MAC address still in
the ARP cache (in case you catch them ;^)?
Now, go through your user list with a fine tooth comb... Did all accounts lock
out, or was one or more left alone? If so, money says that they got in on the
first account alphabetically that did not lock out.
Next, are all the accounts correct? Look for a new account, something that kind
of looks like it belongs. The first thing you do when you hack a network is
create a couple accounts for yourself.
And finally, find out how they connected. You have the time of the intrusion...
How did they get local access? It is critical to track it down... Night
security w/ a laptop? RAS? Wireless network? This had to be local... An
intrusion via Internet would leave different evidence - even if they breached
your VPN.
If \\FAMILLE is one of your machines, confiscate it right now. Take it off the
network. Give the user something else to work on. And then tear that thing
appart. They may have gotten local access after failing to get Domain access.
And once in the machine, they can set up password sniffers, log your network
traffic, etc., etc. Log into it ONLY off the wire, with the local admin
password. Then check it for new accounts, weird memberships in the local admin
group, etc. Look for known malware... etc. And do not reconnect it to your
network until: 1) You Ghost the entire system to CD for evidence. 2) You are
certain that you can learn nothing more from it. 3) You have completely wiped
and reformatted the system, having first checked for hidden partitions, etc.
Final thought: Because this was local, you have a physical layer threat to
address as well... Check all your hubs/switches for improper connections...
Look for a sniffer, especially if you have any out-of the way places - like
repeaters used to extend your wired range. Also, make the rounds and physically
check the keyboard connection to all your workstations. Keyboard loggers are
very cheap and easy to buy. And finally, verify that your server consoles are
physically secure. If I can physically touch your servers, there isn't anything
you can do to keep me out given time, especially on internal, typically
unhardened servers.
You've got a local script kiddie playing around... Track him down and slap him,
hard, before he causes some real trouble for somebody.
Good luck,
- AJS