How are wannabe hackers finding out my MS domain name and member hosts?
I have a Microsoft "domain" administered by Samba, "bogo.local". There are about a dozen domain members which are a mix of Linux and Windows 10. Hackers are continuously trying to break into the Windows workstations via Remote Desktop Connection. Remote desktop is enabled, but not using the standard port 3389.
I can understand how hacker/bots could figure out the correct RDC port by probing all open ports and looking for a tell-tail response fingerprint. What I don't get is how they can determine a) the domain name and b) the host names of domain member. For example, my intrusion script will log the following: Code:
[2022/01/19 16:15:19.670110, 2] authentication for user [DBMACHINE.BOGO.LOCAL/Administrator] FAILED with error NT_STATUS_NO_SUCH_USER, port: 2203, IP: 45.227.253.39 I'm not as concerned about the user name as these mostly appear to be wild guesses, although sometime they are legit user names, but those can be harvest from email repositories. Any thoughts on how domain/host info can be determined from outside the LAN? |
I have the same question for AT&T* cellphones. How am I getting spam, e.g.: telemarking* &pee? When haven't given my number to anyone? Pay for spam guard at AT&P!!!
Here I am on window$, because I have to be for $chool; what a fool... but, learning! :$tudy:.gpl FreeMothedFingDumb 1yr olds learn it!? dou:p |
I need to check my logs. I only use RDP on my local lan or VPN so not a big deal... Personally I would never allow access to the world.
I would say the server is writing the log using its hostname. The script kiddies just scan your IP address until they find something interesting and then try to crack the password. There other ways to make it more secure. https://www.mcafee.com/blogs/other-b...ity-explained/ |
I guess they try all the phone numbers generated from 000000000 to 999999999 (and also they may try ip ranges). They don't care who you are and where you are.
|
To build on what pan64 said, I doubt that you are being targeted directly. It's most likely random port scans when it's computers and random phone number calls with it's phones.
It's like the "expired car warranty" phone scam. They don't know who they are calling; they are just calling numbers. |
I agree it is a random port scan. When I used to have my home severs ssh accessible to the internet my fail2ban log was filled with thousands of attempted logins. There are places like shodan? that list servers and the servers they advertise to the internet that are used to make lists of targets.
So you should put your server behind a firewall and use a VPN connection to connect, then use RDP or other services. |
Quote:
Quote:
It can tell someone the address of every machine on your LAN. That I know for certain. |
Quote:
I'm going to check into Trihexagonal's suggestion on Firewalk -- that may take some time to install and test. Given that Firewalk "can tell someone the address of every machine on your LAN", is there a way to prevent this from happening? That seems like a rather huge security risk. Later: Currently, unable to build firewalk 5.0 on either slackware 14.2 or slackware-current. slackware 14.2 gives: Code:
# ./configure Code:
# ./configure Has anyone installed firewalk on Slackware? What system(s) have you (Trihexagonal?) installed it on? |
Quote:
Code:
gcc -DHAVE_CONFIG_H -I. -I. -I../include -g -O2 -Wall -c firewalk.c So, Trihexagonal, since you've done this, for certain, can you tell me what firewalk command line options I need to see these LAN hosts? I've tried numerous permutations, but only ever get: Code:
firewalk -S 1901-1920 -T 5 -p TCP 1.2.3.4 100 Thanks |
I don't think that would be appropriate.
|
You don't really need to find new ways you* can "hack" yourself*.
Fail2ban and VPN are noted... ;):thumbsup: |
Quote:
Quote:
I've been on this forum for 14 years - I don't think anyone needs to worry about me going the the dark side and start trying to break into other system. I manage a public system with high-desirability content and I am trying to keep the bad guys out. In the 15 years I've been doing perimeter security I've not seen a hacker gain knowledge of this internal topography before -- so I'm trying to figure out how they did it so I can block that hole, if possible. |
I don't think they are getting your hostname. When I login to a remote host via RDP I just use its IP address but the log automatically includes its actual hostname. I just assume that your hostname resolves to a FQDN.
As you stated the username and password is just a guess by the hackers. |
Quote:
Quote:
I'll consider this issue close, but if others want to post follow-up comments I check back. |
All times are GMT -5. The time now is 04:38 AM. |