[unisog] PC hack

Gary Flynn flynngn at jmu.edu
Thu Mar 28 18:25:23 GMT 2002


Jenett Tillotson wrote:
> 
> We had 3 PC's running Windows 2000 broken into on Tuesday, March
> 26th.  These were machines with accounts that had no passwords.
> 
> I'm curious if anyone else has seen a similar attack and what else should
> we be looking for?

What else should you be looking for on those machines? 

I'd say they need to be wiped clean and re-installed before being put back
in service.

What else should you be looking for to prevent further occurrences?

1) Block netbios at the border if you can. (ports 137,138,139,445)

2) If netbios is open, any NT, Win2000, or XP system without an
   administrator password is wide open...the entire hard drive
   is shared on the network through the hidden administrative
   shares giving the whole world the ability to take control of the
   machine. Same for Windows 9x machines with the entire hard
   drive shared read/write.

3) I periodically run a home-grown perl script that scans the entire campus 
   looking for these machines. It drops HTML files on the user's desktop 
   warning them of the vulnerability and providing links to configuration
   instructions. Its crude but it seems to be effective. The warning dropped
   on their desktop can be viewed at 
   http://www.jmu.edu/computing/security/tools/warn.html

   If anyone is interested in the script, drop me an email. I fear it would
   be much too tempting to script kiddies to leave on an open web site.

4) Several workstation configurations can be set to help with the problem:

   a) Disable network logins from administrator accounts
   b) Use registry to disable administrative shares
   c) Require a password for all accounts. Administrative level passwords must
      be strong enough to withstand repeated network guessing attacks. Other 
      accounts should be configured to lock on too many unsuccessful attempts.

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe



More information about the unisog mailing list