Recently there was an intruder lockout detected on one of our servers - the user name was Supervisor and the address was detected as 3DC78B: 0000001 -. Does this mean the logon attempts were from the server console ? If not, what other logon method would leave a record like this ?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
intruder detection from internal net number
- Thread starter nikky
- Start date
Did someone install an older program like Mercury mail? Or the David faxware? These systems need to have a login to run, and in there default state might be trying to use the supervisor account with an invalid password. At the console type "modules" and see if there is anything unusual running.
Jon
There is much pleasure to be gained from useless knowledge. (Bertrand Russell)
Jon
There is much pleasure to be gained from useless knowledge. (Bertrand Russell)
marvhuffaker
MIS
Just a comment.. You mention the NetWare 3.x supervisor thing. The interesting thing is that when you do research on how to hack novell, most of the stuff you come up with is for 3.x and early 4.x.. all of it is very outdated and most of it won't work unless the admin hasn't taken basic security precautions.
If someone is trying to compromise your systems, they may be using that old information and trying to use the supervisor account. Even if you don't have a Supervisor account in NDS, there "MAY" be a supervisor account still in the bindery and that is what they are trying to get to. I can't honestly remember what would make the supervisor account exist, but am guessing that a server upgraded from 3.x would have that information on it.
Get a copy of SYSCON.EXE and poke around with it and see what you can do with it. It's kind of fun to do and you'll see some interesting things.
Marvin
Marvin Huffaker MCNE, CNE
Marvin Huffaker Consulting
If someone is trying to compromise your systems, they may be using that old information and trying to use the supervisor account. Even if you don't have a Supervisor account in NDS, there "MAY" be a supervisor account still in the bindery and that is what they are trying to get to. I can't honestly remember what would make the supervisor account exist, but am guessing that a server upgraded from 3.x would have that information on it.
Get a copy of SYSCON.EXE and poke around with it and see what you can do with it. It's kind of fun to do and you'll see some interesting things.
Marvin
Marvin Huffaker MCNE, CNE
Marvin Huffaker Consulting
Dunno about NetWare 5.x but I remember that on NetWare 4.x MONITOR used to have the option of locking the keyboard. There were two ways of getting keyboard access back:
a) Type in the password that was set
b) Type in the bindery SUPERVISOR password.
The latter, although it was NDS, could be accessed via SYSCON (bindery) and the password for the SUPERVISOR account could be changed. Was pretty useful if some dumbo had forgotten the password they had set. Mind you, this is not needed now as you can just use the screensaver NLM
-----------------------------------------------------
"It's true, its damn true!"
-----------------------------------------------------
a) Type in the password that was set
b) Type in the bindery SUPERVISOR password.
The latter, although it was NDS, could be accessed via SYSCON (bindery) and the password for the SUPERVISOR account could be changed. Was pretty useful if some dumbo had forgotten the password they had set. Mind you, this is not needed now as you can just use the screensaver NLM
-----------------------------------------------------
"It's true, its damn true!"
-----------------------------------------------------
marvhuffaker,
>>I can't honestly remember what would make the supervisor account exist, but am guessing that a server upgraded from 3.x would have that information on it.<<<
There is in fact a supervisor account on every installed netware server at least up through 5.1. It does not appear in the NDS tree, but is accessible via the bindery(with Syscon or SysconW). We change those passwords whenever we change the NDS Admin passwords.
I'm not sure if it is an issue now with 5.x or 6.x, but one of the security pieces with NetWare 4.11 was to change the supervisor password upon installation of any new server.
>>I can't honestly remember what would make the supervisor account exist, but am guessing that a server upgraded from 3.x would have that information on it.<<<
There is in fact a supervisor account on every installed netware server at least up through 5.1. It does not appear in the NDS tree, but is accessible via the bindery(with Syscon or SysconW). We change those passwords whenever we change the NDS Admin passwords.
I'm not sure if it is an issue now with 5.x or 6.x, but one of the security pieces with NetWare 4.11 was to change the supervisor password upon installation of any new server.
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question