unauthorized access?
Results 1 to 11 of 11

Thread: unauthorized access?

  1. #1
    Registered User Poseidon's Avatar
    Join Date
    Jan 2001
    Location
    Knoxville, TN USA
    Posts
    1,762

    Post unauthorized access?

    Will someone help me better understand what is going on here besides the obvious?

    {read log at bottom}
    Server 1 is in the main office with two other severs running Windows 2000 server (w/out domain)

    User2 is a Win98 workstation in a remote office on connected to a Windows 2000 (w/out domain) server. This workstation does not have internet access.

    The office's are connected through a hardware VPN with <a href="http://www.watchguard.com/products/" target="_blank">Watchguard's SOHO</a>

    Weird problems started developing in the remote office a couple weeks ago - someone after hours messing with work stations, etc. To my knowledge the server has not been compromised. I call myself having it locked down fairly tight - no local access allowed (I managed it with Terminal Services), renamed admin account, secure password, etc.
    I'm in the process of putting together two new workstations with Windows 2000 pro which will replace the Win 98 machines

    Virus scan comes up clean. Any idea where this is comming from?

    log:

    05/04 15:55:50 Attempting password change server/domain SERVER1 for user TsInternetUser
    05/04 15:55:53 SamChangePasswordUser2 on machine \\SERVER1 for user TsInternetUser returned 0xc000006a
    05/05 15:55:49 Attempting password change server/domain SERVER1 for user TsInternetUser
    05/05 15:55:52 SamChangePasswordUser2 on machine \\SERVER1 for user TsInternetUser returned 0xc000006a
    05/06 15:55:49 Attempting password change server/domain SERVER1 for user TsInternetUser
    05/06 15:55:52 SamChangePasswordUser2 on machine \\SERVER1 for user TsInternetUser returned 0xc000006a
    05/07 15:55:49 Attempting password change server/domain SERVER1 for user TsInternetUser
    05/07 15:55:52 SamChangePasswordUser2 on machine \\SERVER1 for user TsInternetUser returned 0xc000006a
    05/08 15:55:49 Attempting password change server/domain SERVER1 for user TsInternetUser
    05/08 15:55:52 SamChangePasswordUser2 on machine \\SERVER1 for user TsInternetUser returned 0xc000006a
    05/09 15:55:49 Attempting password change server/domain SERVER1 for user TsInternetUser
    05/09 15:55:52 SamChangePasswordUser2 on machine \\SERVER1 for user TsInternetUser returned 0xc000006a
    05/10 15:55:49 Attempting password change server/domain SERVER1 for user TsInternetUser
    05/10 15:55:52 SamChangePasswordUser2 on machine \\SERVER1 for user TsInternetUser returned 0xc000006a
    05/11 15:55:49 Attempting password change server/domain SERVER1 for user TsInternetUser
    05/11 15:55:52 SamChangePasswordUser2 on machine \\SERVER1 for user TsInternetUser returned 0xc000006a
    05/12 15:55:49 Attempting password change server/domain SERVER1 for user TsInternetUser
    05/12 15:55:52 SamChangePasswordUser2 on machine \\SERVER1 for user TsInternetUser returned 0xc000006a
    05/13 15:55:49 Attempting password change server/domain SERVER1 for user TsInternetUser
    05/13 15:55:52 SamChangePasswordUser2 on machine \\SERVER1 for user TsInternetUser returned 0xc000006a

    end log

    What does the returned 0x000006a mean? What about SamChangePassword?

    TIA
    The early bird may get the worm; but the second mouse gets the cheese!

  2. #2
    Registered User Poseidon's Avatar
    Join Date
    Jan 2001
    Location
    Knoxville, TN USA
    Posts
    1,762

    Post

    more infomation:

    Terminal Service User account on Server1 is disabled.

    Remote Office user accounts do not exist on Server1

    Update

    Evidently the name User2 in SamChangePasswordUser2 is not the workstation User2 in our remote office. I had them shutdown the User2 workstation at 15:50 hours today, checked the log, and just like clockwork the following entry appeared:

    05/14 15:55:50 Attempting password change server/domain SERVER1 for user TsInternetUser
    05/14 15:55:53 SamChangePasswordUser2 on machine \\SERVER1 for user TsInternetUser returned 0xc000006a
    The early bird may get the worm; but the second mouse gets the cheese!

  3. #3
    Chat Operator Matridom's Avatar
    Join Date
    Jan 2002
    Location
    Ontario, Canada
    Posts
    3,778

    Post

    I'd try a few things.. I'd first need to find out where the connection is comming from. Do you log incoming connections?

    Is the connection comming in on the terminal server? or is it possibly local access? Are you using the web browser version or the actual client? Does your terminal manager show any diconnected sessions?

    Another question.. Where are those log files being generated?
    <Ferrit> Take 1 live chicken, cut the head off, dance around doing the hokey pokey and chanting: GO AWAY BAD VIRUS, GO AWAY BAD VIRUS
    -----------------------
    Windows 7 Pro x64
    Asus P5QL Deluxe
    Intel Q6600
    nVidia 8800 GTS 320
    6 gigs of Ram
    2x60 gig OCZ Vertex SSD (raid 0)
    WD Black 750 gig
    Antec Tri power 750 Watt PSU
    Lots of fans

  4. #4
    Registered User silencio's Avatar
    Join Date
    Sep 2000
    Location
    Savannah
    Posts
    3,960

    Post

    Is that the full security log? Are you auditing/showing logons of any type (network or local)? What user is performing the action? It may be windows internal password changes.
    Deliver me from Swedish furniture!

  5. #5
    Registered User Poseidon's Avatar
    Join Date
    Jan 2001
    Location
    Knoxville, TN USA
    Posts
    1,762

    Post

    Okay perhaps I over-reacted. The security log in the event viewer is empty and the event log of the Syslog of the SOHO indicates nothing out of the ordinary (at least from what I could tell).

    The Terminal Services Mgr does not show any connections out of the normal.

    The log is from the PASSWD.LOG file located in the WINNT\Debug directory on Server1.

    It was discoverd by coincidence when someone logged in using the admin account and did a search for *log*

    Why though does the date in the start 05/04? Is there perhaps a problem that needs to be addressed? Could that be related to the date the admin password was last changed?

    BTW, Yes I am using the web browser version / interface of the SOHO.
    The early bird may get the worm; but the second mouse gets the cheese!

  6. #6
    Registered User TheLow1's Avatar
    Join Date
    Jan 2000
    Location
    Ocean Slime, CA
    Posts
    389

    Post

    </font><blockquote><font size="1" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">quote:</font><hr /><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">Originally posted by Poseidon:
    [QB]Okay perhaps I over-reacted. The security log in the event viewer is empty and the event log of the Syslog of the SOHO indicates nothing out of the ordinary
    QB]</font><hr /></blockquote><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">Maybe not, allmost all of the auditing that shows up on the security log is dissabled by default.

  7. #7
    Chat Operator Matridom's Avatar
    Join Date
    Jan 2002
    Location
    Ontario, Canada
    Posts
    3,778

    Post

    </font><blockquote><font size="1" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">quote:</font><hr /><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">Originally posted by Poseidon:
    <strong>Okay perhaps I over-reacted. The security log in the event viewer is empty and the event log of the Syslog of the SOHO indicates nothing out of the ordinary (at least from what I could tell).

    The Terminal Services Mgr does not show any connections out of the normal.

    The log is from the PASSWD.LOG file located in the WINNT\Debug directory on Server1.

    It was discoverd by coincidence when someone logged in using the admin account and did a search for *log*

    Why though does the date in the start 05/04? Is there perhaps a problem that needs to be addressed? Could that be related to the date the admin password was last changed?

    BTW, Yes I am using the web browser version / interface of the SOHO.</strong></font><hr /></blockquote><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">I use the same interface, I'll look into the log files tonight. What i THINK may be hapening is the OS is changeing the TSlogon to the userID that your loging into in order to give you access (basicly makes the TS logon the one your using)

    If your not using port 3389 and the client, check your IIS logs to see who has been connecting the the Terminal site. If your really paranoid, use the client, I find it's faster than the web interface and it allows you to cach the bit maps.
    <Ferrit> Take 1 live chicken, cut the head off, dance around doing the hokey pokey and chanting: GO AWAY BAD VIRUS, GO AWAY BAD VIRUS
    -----------------------
    Windows 7 Pro x64
    Asus P5QL Deluxe
    Intel Q6600
    nVidia 8800 GTS 320
    6 gigs of Ram
    2x60 gig OCZ Vertex SSD (raid 0)
    WD Black 750 gig
    Antec Tri power 750 Watt PSU
    Lots of fans

  8. #8
    Registered User +Daemon+'s Avatar
    Join Date
    Jan 2002
    Location
    RC, Ca
    Posts
    3,406

    Post

    well yesterday, the whole county here in riversdie, California was breached. We had to change all the passwords for every account. We got hacked hard

  9. #9
    Driver Terrier NooNoo's Avatar
    Join Date
    Dec 2000
    Location
    UK
    Posts
    31,824

    Post

    I have been asked to post this on behalf of a chatroom member who does not have a forum account. I hope this helps.

    Rather benign event viewer entry log. The TS maintains its own password. Which is why you are seeing these entries since that is how it verifies that the password has been changed. I have seen it show up on some systems and on others not show the entry at all that are the same build and consistency throughout. There is rarely much you can do. <a href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;q244057" target="_blank">http://support.microsoft.com/default.aspx?scid=kb;EN-US;q244057</a>
    Never, ever approach a computer saying or even thinking "I will just do this quickly."

  10. #10
    Registered User Poseidon's Avatar
    Join Date
    Jan 2001
    Location
    Knoxville, TN USA
    Posts
    1,762

    Post

    </font><blockquote><font size="1" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">quote:</font><hr /><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">Originally posted by NooNoo:
    <strong>I have been asked to post this on behalf of a chatroom member who does not have a forum account. I hope this helps.

    Rather benign event viewer entry log. The TS maintains its own password. Which is why you are seeing these entries since that is how it verifies that the password has been changed. I have seen it show up on some systems and on others not show the entry at all that are the same build and consistency throughout. There is rarely much you can do. <a href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;q244057" target="_blank">http://support.microsoft.com/default.aspx?scid=kb;EN-US;q244057</a></strong></font><hr /></blockquote><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">Please tell the chatroom member "Thanks" on my behalf. <img border="0" title="" alt="[Wink]" src="wink.gif" />

    The M$ article explains it all. I just love the last line: </font><blockquote><font size="1" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">quote:</font><hr /><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif"> STATUS

    Microsoft has confirmed this to be a problem in the Microsoft products that are listed at the beginning of this article.</font><hr /></blockquote><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">I am using TS for admin purposes only so a license is not required.
    The early bird may get the worm; but the second mouse gets the cheese!

  11. #11
    Geezer confus-ed's Avatar
    Join Date
    Jul 1999
    Location
    In front of my PC....
    Posts
    13,087

    Talking

    </font><blockquote><font size="1" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">quote:</font><hr /><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">Originally posted by NooNoo:
    <strong>I have been asked to post this on behalf of a chatroom member who does not have a forum account. I hope this helps.
    </strong></font><hr /></blockquote><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">Well it did! Recruit that chatroom member nooooooo!

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •