[unisog] PC hack
flynngn at jmu.edu
Thu Mar 28 18:25:23 GMT 2002
Jenett Tillotson wrote:
> We had 3 PC's running Windows 2000 broken into on Tuesday, March
> 26th. These were machines with accounts that had no passwords.
> I'm curious if anyone else has seen a similar attack and what else should
> we be looking for?
What else should you be looking for on those machines?
I'd say they need to be wiped clean and re-installed before being put back
What else should you be looking for to prevent further occurrences?
1) Block netbios at the border if you can. (ports 137,138,139,445)
2) If netbios is open, any NT, Win2000, or XP system without an
administrator password is wide open...the entire hard drive
is shared on the network through the hidden administrative
shares giving the whole world the ability to take control of the
machine. Same for Windows 9x machines with the entire hard
drive shared read/write.
3) I periodically run a home-grown perl script that scans the entire campus
looking for these machines. It drops HTML files on the user's desktop
warning them of the vulnerability and providing links to configuration
instructions. Its crude but it seems to be effective. The warning dropped
on their desktop can be viewed at
If anyone is interested in the script, drop me an email. I fear it would
be much too tempting to script kiddies to leave on an open web site.
4) Several workstation configurations can be set to help with the problem:
a) Disable network logins from administrator accounts
b) Use registry to disable administrative shares
c) Require a password for all accounts. Administrative level passwords must
be strong enough to withstand repeated network guessing attacks. Other
accounts should be configured to lock on too many unsuccessful attempts.
Security Engineer - Technical Services
James Madison University
More information about the unisog