[prev in list] [next in list] [prev in thread] [next in thread]
List: ntsecurity
Subject: RE: [NTSEC] Anonymous FTP account lockout?
From: Bernard Freund <bef () portoweb ! com ! br>
Date: 1997-11-25 18:10:54
[Download RAW message or body]
Not necessarily. It's happening here, on a test domain (physically
separated from the Internet and from any users). It seems to happen on
PDC/BDCs only. If you have a policy to lock out after 10 bad logon
attempts, for example, and you (Administrator) load a page with 10 GIFs, it
will load the page, 9 of the GIFs and then lock out. Seems like a bug to
me.
Regards,
Bernard
________________________________________________
Bernard Freund
Enterprise Consulting Partners Ltd.
Rua Gaspar Martins, 199/100
Guaiba, RS 92500-000, Brazil
* mailto:bef@portoweb.com.br
( +55 51 480 2230
_______________________________________________
On Monday, November 24, 1997 8:28 PM, We've got computers-We're tapping
phone lines-I know that that ain't allowed [SMTP:weld@l0pht.com] wrote:
>
>
> The IUSR_MACHINENAME account can be locked out by NT login attempts, not
> web server authentication attempts. You must be running NT filesharing
> without a firewall between you and the internet. Someone has done a
>
> nbtstat -A IP
>
> with your IP address, discovered you have filesharing accessable from
> the internet and also discoverd the username of your IUSR_MACHINAME
> account. Then they have tried to access file shares with that username
> repeatedly and locked out the account. Something like this:
>
> net use \\IP\sharename "garbage" /USER:"IUSR_MACHINENAME"
>
> As far as I know the only solutions are to:
>
> 1. Install a firewall or reconfigure the one you have to block out port
> 135 and 139 to that machine (Best option).
>
> 2. Do without filesharing on that machine (probably not an option).
>
> 3. Do without account lockout (maybe a good short term option).
>
>
> -weld
>
> Weld Pond - weld@l0pht.com - http://www.l0pht.com/~weld
> L 0 p h t H e a v y I n d u s t r i e s
> Technical archives for the people - Bio/Electro/Crypto/Radio
>
> On Mon, 24 Nov 1997, Cara Hart wrote:
>
> >
> > I'm hoping someone out there has seen this before and can give me some
ideas.
> >
> > This morning we had a user call to say he couldn't get into our FTP
site.
> > We allow anonymous logins. This is NT 4.0 Server with IIS.
> >
> > When I looked at the server, the account IUSR_MACHINENAME (which is
used
> > for logging into the Web and FTP sites anonymously) had become locked
out.
> >
> > How did this happen? I know that accounts will be locked out if
someone
> > tries too many bad passwords (if you have that feature set, which I
do).
> > But how could anonymous logins carry bad passwords?
> >
> > Have I been hacked? Or did someone try to login and just got it really
wrong?
> >
> > Thanks in advance for your advice,
> >
> > Cara Hart
> >
> > ------------------------------------------------------------
> > Cara Hart
> > chart@aritek.com
> > Systems Administrator
> > ARITEK Systems, Inc.
> >
> > My opinions expressed here, and in any public forum, are my
> > own and do not represent those of my employer or its clients.
> >
> >
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic