OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jack Lyons (jack.lyonsMARTINAGENCY.COM)
Date: Mon May 07 2001 - 11:44:04 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Check the computer Browser Service Properties. If there is anything that is
    listed, then try removing them one at a time and see if that helps.

    -----Original Message-----
    From: DE VILLIERS IAN [mailto:ian.devilliersBMW.CO.ZA]
    Sent: Monday, May 07, 2001 6:30 AM
    To: FOCUS-MSSECURITYFOCUS.COM
    Subject: Weird happenings

    Hi everyone.

    I write this e-mail as I am rather concerned with some strange occurrences
    at one of our remote sites.

    The breakdown is more-or-less as follows.

    Our BDC at our remote site has on occasion been some how knocked off the
    network. Trying to open shares from other machines will come up with a
    network error: "The network name cannot be found". These shares do exist
    and when trying to open any shares from the server in question, an error
    message will appear stating "MACHINE NAME There is a duplicate name on the
    network". Doing an nbtstat -A on the machine's IP address will show
    something like:

           NetBIOS Remote Machine Name Table

       Name Type Status
    ---------------------------------------------
    MACHINE <00>UNIQUE Conflict
    DOMAIN <00>GROUP Registered
    DOMAIN <1C>GROUP Registered
    MACHINE <20>UNIQUE Conflict
    DOMAIN <1E>GROUP Registered
    MACHINE <03>UNIQUE Conflict
    MLI_GROUP_BRAD <42> GROUP Registered
    MLIA199E071BRAD<42> UNIQUE Registered

    MAC Address = XX-XX-XX-XX-XX-XX

    The "Duplicate Name" issue is not at all related to WINS/DNS configuration.

    Upon consulting the event logs for the machine, the security log shows a
    very high number of failed logins (Message ID:529) from a specific machine
    located at one of our foreign branches in a seperate "complete trust"
    domain. All of these failed logins appear at a very regular occurrence of
    one failed login every 4 minutes. The times these failed logins occurr also
    normally run on strange days (eg: Saturdays/Sundays very late in the
    evening) and appear to run for hours on end. In between all these failed
    logins, we also receive a lockout (Message ID: 644) every 13 minutes from
    the same computer on the domain "Guest" account which is not even enabled.

    I do not have a huge amount of expertise in security matters, but I am very
    concerned about situations currently. Is this machine under attack ? In my
    experience, programs that brute force passwords will make hundreds of
    connections a minute, so why do the logs only show one connection every 4
    minutes ? Is it possible that somebody may be "spoofing" the machine's name
    ? What

    The machine in question runs NT Server 4.0, Service Pack 6a and Microsoft
    SQL Server 7. Network is TCP/IP.

    Regards,

    Ian de Villiers