[unisog] Heavy NetBIOS, Windows TSE, pcANYWHERE

Bukys, Liudvikas bukys at rochester.edu
Tue Jun 18 02:03:59 GMT 2002

Our recent experience:


We have been experiencing waves of port 3389 WTS attacks for a while.
It gives the attacker an IDS-invisible channel to your domain.
* One notable piece of useful information I picked up from incidents
and unisog was http://www.hammerofgod.com/download.htm regarding
the TSGrinder tool, and one useful-for-know mitigation: set the
login banner, it interferes with the current generation of automated
WTS attack tooks.


On Friday June 14, after a few weeks of respite, we experienced some
very high-volume NT domain brute-force attempts.  The touch was light
enough to avoid locking accounts, though.  Our particular attacker
was coming from a computer compromised with the Fluxay Sensor Console
installed.  We find a very large proportion of our attackers appear
from the Genuity network 4.*.*.*, a hotbed of vulnerable small businesses
blithely running SQL Servers, Windows TSE, unpatched IIS, etc.
Have others noticed the same?  Note: in many cases, I have leads from
these machine back to a modest number of machines Hubei province in China.
Anyone else share that?

* I am particularly interested in the remark regarding perceived concentration
on Medical Centers, as our Medical Center domain controllers were poked
heavily.  I'd be grateful for more information there.


Yesterday we had a heavy wave of port 5631 pcANYWHERE brute forcing.
Attackers installed RemoteNC on some machines, defacing or destroying
many of them; in addition, ISS and a forged license key was installed
on one.  Renaming "Administrator" for pcANYWHERE, running on alternate
ports, and encouraging password complexity are good minimal ideas.

I've been wondering about whether our 3389/5631 attacks involve some
shortcut access to passwords or other vulnerabilities, but I don't have
any evidence for anything other than pure brute force.

Liudvikas Bukys
University of Rochester
bukys at rochester.edu

More information about the unisog mailing list