Educause Security Discussion mailing list archives

Re: Domain Controller Attacks

From: "Hoffman, Michael" <mhoffman () SBU EDU>
Date: Fri, 14 Oct 2005 11:41:43 -0400

We have seen this in the past, and it has always been a virus.  We used
netmon on our domain controllers to determine the IP addresses of the
requests, and then cleaned the infected machines.



Michael S. Hoffman
Executive Director for Information Technology
St. Bonaventure University
mhoffman () sbu edu
716-375-2530
http://www.sbu.edu

-----Original Message-----
From: Wayne Bullock [mailto:wayne () FAU EDU] 
Sent: Friday, October 14, 2005 10:59 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Domain Controller Attacks

Our Systems group that runs our Microsoft domain controllers are
complaining about automated attacks that systematically attempt to
breakin into accounts. Their main concern is that accounts become
blocked after 3 attempts. So, this is felt by users as a DoS. The
legitimate users can't authenticate.

Working with Security they believe thinks it's some type of virus that
appears to be going around on student's machines. Is anyone else seeing
this?

Wayne Bullock
Associate Director, Network Services
Florida Atlantic University

Current thread:

Domain Controller Attacks Wayne Bullock (Oct 14)
- <Possible follow-ups>
- Re: Domain Controller Attacks Dave Monnier, IT Security Office, Indiana University (Oct 14)
- Re: Domain Controller Attacks Hoffman, Michael (Oct 14)
- Re: Domain Controller Attacks Beechey, Jim (Oct 14)
- Re: Domain Controller Attacks H. Morrow Long (Oct 14)
- Re: Domain Controller Attacks Wayne J. Hauber (Oct 14)
- Re: Domain Controller Attacks David Taylor (Oct 14)
- Re: Domain Controller Attacks Wayne Bullock (Oct 14)
- Re: Domain Controller Attacks Bowden, Zeb (Oct 14)
- Re: Domain Controller Attacks Wayne Bullock (Oct 14)
- Re: Domain Controller Attacks Jeff Kell (Oct 14)
- Re: Domain Controller Attacks Wayne Bullock (Oct 14)