Possible new attack on MS Domain Controllers

Saracini, Bill SaraciniW at health.missouri.edu
Thu Jun 13 18:18:35 GMT 2002

We believe we experienced a new attack last night that first scanned our netspace on port 3389 (terminal server) and combined port 445 ldap queries to eventually target domain administrator accounts in Active Directory.  The automated attack resulted in failed login attempts on the domain controller(s) and lockouts on the accounts involved.  Additional suspisious MS SMB protocol packets to the domain controllers were observed, later, from other external hosts.    

This was a very targeted attack on administrator accounts.  What we do not know is whether other institutions are seeing this same activity.  If anyone has seen similar threats recently, please let us know...



William J. (Bill) Saracini
System Security Analyst
University of Missouri Health Care
DC017.00  QD 265D
573-884-2591 or page 573-441-4103
FAX 573-884-2650

More information about the unisog mailing list