| Author | Messages | |
aaron_visser@xxxx.yyy
 | | 03/10/2006 5:47 AM |
| Well I know this is a little off topic but I cannot find any answers so I
have decided that I need to tap into this huge fountain of knowledge.
Computer - Win XP Pro SP2 latest Updates
Problem - Computer was working fine and all of a sudden after a reboot today
I can no longer login to it via the Domain (it says that the NetLogon
Service is not started) So I logged onto another computer and remotely
connected to the computer thru the Computer Management MMC Snap-In and
checked the Netlogon Service and sure enough it was disabled, so I set it to
Auto and then proceeded to start the Service. But it will not start because
it says that the RPC Locator Service (to the best of my recollection) needs
to be started, so I check that and sure enough it is disabled also. So I
try to start that service but it gives me some error that I cannot recall at
this time. Anyways trying to make this story short I am pretty sure that
the computer in question was targeted from within the LAN remotely. So the
big question or questions are is it possible to attack a computer in this
manner? If it is possible does anyone have any info on how to accomplish
this so that I can try and figure out how or what what used and maybe even
nail the person (student) who did this.
Thanks,
Aaron
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD00000336
Posts:0
| | 03/10/2006 2:56 AM |
| Run a portqry on ports 1024 and 1025 from the host to your DC's and from the server to the workstation to see if you get blocked responses.
I have seen it where Firewall and router jockey's like to block these ports because they are "known ports that viruses use". The problem is the MS RPC service hits them first before dynamically selecting a higher port.
Todd Myrick
________________________________
From: Ken Schaefer [mailto:Ken@xxxxxxxxxxxxxxxx]
Sent: Fri 3/10/2006 2:07 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] OT: Netlogon Service
For all we know, someone did exactly what you did (connect remotely using administrative credentials) and disabled the services.
Do you have logon auditing enabled? If so, have you checked to see who's logged onto the machine?
Cheers
Ken
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Aaron Visser
Sent: Fri 3/10/2006 4:47 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] OT: Netlogon Service
Well I know this is a little off topic but I cannot find any answers so I
have decided that I need to tap into this huge fountain of knowledge.
Computer - Win XP Pro SP2 latest Updates
Problem - Computer was working fine and all of a sudden after a reboot today
I can no longer login to it via the Domain (it says that the NetLogon
Service is not started) So I logged onto another computer and remotely
connected to the computer thru the Computer Management MMC Snap-In and
checked the Netlogon Service and sure enough it was disabled, so I set it to
Auto and then proceeded to start the Service. But it will not start because
it says that the RPC Locator Service (to the best of my recollection) needs
to be started, so I check that and sure enough it is disabled also. So I
try to start that service but it gives me some error that I cannot recall at
this time. Anyways trying to make this story short I am pretty sure that
the computer in question was targeted from within the LAN remotely. So the
big question or questions are is it possible to attack a computer in this
manner? If it is possible does anyone have any info on how to accomplish
this so that I can try and figure out how or what what used and maybe even
nail the person (student) who did this.
Thanks,
Aaron
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| aaron_visser@xxxx.yyy
| | 03/10/2006 4:38 AM |
| -----Original Message-----
From: Ken Schaefer [mailto:Ken@xxxxxxxxxxxxxxxx]
Sent: Thu 3/9/2006 11:07 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Cc:
Subject: RE: [ActiveDir] OT: Netlogon Service
For all we know, someone did exactly what you did (connect remotely using administrative credentials) and disabled the services.
Do you have logon auditing enabled? If so, have you checked to see who's logged onto the machine?
Cheers
Ken
_____
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Aaron Visser
Sent: Fri 3/10/2006 4:47 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] OT: Netlogon Service
Well I know this is a little off topic but I cannot find any answers so I
have decided that I need to tap into this huge fountain of knowledge.
Computer - Win XP Pro SP2 latest Updates
Problem - Computer was working fine and all of a sudden after a reboot today
I can no longer login to it via the Domain (it says that the NetLogon
Service is not started) So I logged onto another computer and remotely
connected to the computer thru the Computer Management MMC Snap-In and
checked the Netlogon Service and sure enough it was disabled, so I set it to
Auto and then proceeded to start the Service. But it will not start because
it says that the RPC Locator Service (to the best of my recollection) needs
to be started, so I check that and sure enough it is disabled also. So I
try to start that service but it gives me some error that I cannot recall at
this time. Anyways trying to make this story short I am pretty sure that
the computer in question was targeted from within the LAN remotely. So the
big question or questions are is it possible to attack a computer in this
manner? If it is possible does anyone have any info on how to accomplish
this so that I can try and figure out how or what what used and maybe even
nail the person (student) who did this.
Thanks,
Aaron
> | | | |
| AD000001377
Posts:0
| | 03/10/2006 6:46 AM |
| _____
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Aaron Visser
Sent: Friday, March 10, 2006 11:39 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] OT: Netlogon Service
Well if they did why wouldn't I be able to restart the services, I am
thinking there is more to it than just someone stopped the ports, but I will
look into the auditing, just to be sure.
Thanks,
Aaron
-----Original Message-----
From: Ken Schaefer [mailto:Ken@xxxxxxxxxxxxxxxx]
Sent: Thu 3/9/2006 11:07 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Cc:
Subject: RE: [ActiveDir] OT: Netlogon Service
For all we know, someone did exactly what you did (connect remotely using
administrative credentials) and disabled the services.
Do you have logon auditing enabled? If so, have you checked to see who's
logged onto the machine?
Cheers
Ken
_____
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Aaron Visser
Sent: Fri 3/10/2006 4:47 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] OT: Netlogon Service
Well I know this is a little off topic but I cannot find any answers so I
have decided that I need to tap into this huge fountain of knowledge.
Computer - Win XP Pro SP2 latest Updates
Problem - Computer was working fine and all of a sudden after a reboot today
I can no longer login to it via the Domain (it says that the NetLogon
Service is not started) So I logged onto another computer and remotely
connected to the computer thru the Computer Management MMC Snap-In and
checked the Netlogon Service and sure enough it was disabled, so I set it to
Auto and then proceeded to start the Service. But it will not start because
it says that the RPC Locator Service (to the best of my recollection) needs
to be started, so I check that and sure enough it is disabled also. So I
try to start that service but it gives me some error that I cannot recall at
this time. Anyways trying to make this story short I am pretty sure that
the computer in question was targeted from within the LAN remotely. So the
big question or questions are is it possible to attack a computer in this
manner? If it is possible does anyone have any info on how to accomplish
this so that I can try and figure out how or what what used and maybe even
nail the person (student) who did this.
Thanks,
Aaron
> | | | |
| ken
Posts:174
| | 03/10/2006 7:10 AM |
| For all we know, someone
did exactly what you did (connect remotely using administrative credentials) and
disabled the services.
Do you have logon auditing enabled? If so,
have you checked to see who's logged onto the machine?
Cheers
Ken
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on
behalf of Aaron VisserSent: Fri 3/10/2006 4:47 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] OT: Netlogon
Service
Well I know this is a little off topic but I cannot find any
answers so Ihave decided that I need to tap into this huge fountain of
knowledge.Computer - Win XP Pro SP2 latest UpdatesProblem -
Computer was working fine and all of a sudden after a reboot todayI can no
longer login to it via the Domain (it says that the NetLogonService is not
started) So I logged onto another computer and remotelyconnected to
the computer thru the Computer Management MMC Snap-In andchecked the
Netlogon Service and sure enough it was disabled, so I set it toAuto and
then proceeded to start the Service. But it will not start becauseit says
that the RPC Locator Service (to the best of my recollection) needsto be
started, so I check that and sure enough it is disabled also. So Itry
to start that service but it gives me some error that I cannot recall atthis
time. Anyways trying to make this story short I am pretty sure thatthe
computer in question was targeted from within the LAN remotely. So
thebig question or questions are is it possible to attack a computer in
thismanner? If it is possible does anyone have any info on how to
accomplishthis so that I can try and figure out how or what what used and
maybe evennail the person (student) who did
this.Thanks,Aaron | | | |
| sbradcpa
Posts:496
| | 03/10/2006 7:16 AM |
| Malware?
Malware can hork up the tcp/ip stack really good.
Ken Schaefer wrote:
For all we know, someone did exactly what you did (connect remotely
using administrative credentials) and disabled the services.
Do you have logon auditing enabled? If so, have you checked to see
who's logged onto the machine?
Cheers
Ken
------------------------------------------------------------------------
*From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Aaron Visser
*Sent:* Fri 3/10/2006 4:47 PM
*To:* ActiveDir@xxxxxxxxxxxxxxxxxx
*Subject:* [ActiveDir] OT: Netlogon Service
Well I know this is a little off topic but I cannot find any answers so I
have decided that I need to tap into this huge fountain of knowledge.
Computer - Win XP Pro SP2 latest Updates
Problem - Computer was working fine and all of a sudden after a reboot
today
I can no longer login to it via the Domain (it says that the NetLogon
Service is not started) So I logged onto another computer and remotely
connected to the computer thru the Computer Management MMC Snap-In and
checked the Netlogon Service and sure enough it was disabled, so I set
it to
Auto and then proceeded to start the Service. But it will not start
because
it says that the RPC Locator Service (to the best of my recollection)
needs
to be started, so I check that and sure enough it is disabled also. So I
try to start that service but it gives me some error that I cannot
recall at
this time. Anyways trying to make this story short I am pretty sure that
the computer in question was targeted from within the LAN remotely.
So the
big question or questions are is it possible to attack a computer in this
manner? If it is possible does anyone have any info on how to accomplish
this so that I can try and figure out how or what what used and maybe even
nail the person (student) who did this.
Thanks,
Aaron
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
|