[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ntsecurity
Subject:    RE: [NTSEC] Anonymous FTP account lockout?
From:       Bernard Freund <bef () portoweb ! com ! br>
Date:       1997-11-25 18:10:54
[Download RAW message or body]


Not necessarily. It's happening here, on a test domain (physically 
separated from the Internet and from any users). It seems to happen on 
PDC/BDCs only. If you have a policy to lock out after 10 bad logon 
attempts, for example, and you (Administrator) load a page with 10 GIFs, it 
will load the page, 9 of the GIFs and then lock out. Seems like a bug to 
me.

Regards,
Bernard

________________________________________________

Bernard Freund
Enterprise Consulting Partners Ltd.
Rua Gaspar Martins, 199/100
Guaiba, RS 92500-000, Brazil
* mailto:bef@portoweb.com.br
( +55 51 480 2230
_______________________________________________


On Monday, November 24, 1997 8:28 PM, We've got computers-We're tapping 
phone lines-I know that that ain't allowed [SMTP:weld@l0pht.com] wrote:
>
>
> The IUSR_MACHINENAME account can be locked out by NT login attempts, not
> web server authentication attempts.  You must be running NT filesharing
> without a firewall between you and the internet.  Someone has done a
>
> nbtstat -A IP
>
> with your IP address, discovered you have filesharing accessable from
> the internet and also discoverd the username of your IUSR_MACHINAME
> account.  Then they have tried to access file shares with that username
> repeatedly and locked out the account.  Something like this:
>
> net use \\IP\sharename "garbage" /USER:"IUSR_MACHINENAME"
>
> As far as I know the only solutions are to:
>
> 1. Install a firewall or reconfigure the one you have to block out port
> 135 and 139 to that machine  (Best option).
>
> 2. Do without filesharing on that machine (probably not an option).
>
> 3. Do without account lockout (maybe a good short term option).
>
>
> -weld
>
>       Weld Pond   -  weld@l0pht.com   -   http://www.l0pht.com/~weld
>       L  0  p  h  t    H  e  a  v  y    I  n  d  u  s  t  r  i  e  s 
>       Technical archives for the people  -  Bio/Electro/Crypto/Radio
>
> On Mon, 24 Nov 1997, Cara Hart wrote:
>
> >
> > I'm hoping someone out there has seen this before and can give me some 
ideas.
> >
> > This morning we had a user call to say he couldn't get into our FTP 
site.
> > We allow anonymous logins.  This is NT 4.0 Server with IIS.
> >
> > When I looked at the server, the account IUSR_MACHINENAME (which is 
used
> > for logging into the Web and FTP sites anonymously) had become locked 
out.
> >
> > How did this happen?  I know that accounts will be locked out if 
someone
> > tries too many bad passwords (if you have that feature set, which I 
do).
> > But how could anonymous logins carry bad passwords?
> >
> > Have I been hacked?  Or did someone try to login and just got it really 
wrong?
> >
> > Thanks in advance for your advice,
> >
> > 	Cara Hart
> >
> > ------------------------------------------------------------
> > Cara Hart
> > chart@aritek.com
> > Systems Administrator
> > ARITEK Systems, Inc.
> >
> > My opinions expressed here, and in any public forum, are my
> > own and do not represent those of my employer or its clients.
> >
> > 

[prev in list] [next in list] [prev in thread] [next in thread]