服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 通过密码猜测pipe理员帐户logintypes3的networking攻击
Intereting Posts
Xmingrcconfiguration 持续的DFSRstream量 奇怪的“文件不存在”错误 为什么我找不到页面(404)的正确链接? Asterisk惩罚dynamic代理 db2无法从挂载目录中恢复? 无法在CentOS上parsingcurl中的主机名,wget,yum Sendmailconfiguration为一个简单的Web服务器,需要邮件()在PHP中工作 Samba端口转发? 审核Exchange邮箱 在Linux ISC-DHCP服务器上将多个IP地址分配给相同的MAC地址 在Munin图中禁用graph_total 如何通过从shell脚本variablesreplace文件名geting中的单词来重命名多个文件? IT培训20名代表 – Windows Server 2008 Sharepoint标识是否必要?

通过密码猜测pipe理员帐户logintypes3的networking攻击

我们有一个2008 R2虚拟服务器,仅用于通过RDP或从本地控制台login。 不需要VPN通信。

服务器遭受了几天的攻击,安装了病毒等等。现在大部分都被清理了,但是我仍然看到许多login尝试失败,主要是为了用户pipe理员。 logintypes失败的尝试是logintypes3。

从我的理解(logintypes3)是本地networking的login尝试。 现在我试图禁用types3的所有login,但没有成功。

我到目前为止所做的:

  • 在networking适配器设置中禁用文件和打印机共享

  • 在networking适配器设置中禁用Windowsnetworking

  • 在高级共享设置中,我禁用了一切(networking发现,文件和打印机共享,公用文件夹共享和密码保护共享)

此外,我试图closures一些我不需要的端口,但是login尝试不断。

我的问题:

我能做些什么来阻止所有types3的login尝试?

有我可以closures的端口?

其他设置阻止本地login?

这些尝试可能源自Windows中正在运行的程序吗? 如果是这样,我怎么能识别这个程序?

其他debugging技巧?

以下是来自事件日志的条目: 

An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: ADMINISTRATOR Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc000006a Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.