NT LM Security Support Provider

[jayjay66]

Hi All,

I'm running and DNS server with SQL Server and windows 2003 server. I have this service call "NT LM Security Support Provider" which is set as "Started/Manual". I have a feeling that I'm being hacked thru this service becuase in my Audit Log it say that an Anonymous logon thru Logon Process: NtLmSsp and the Username ANONYMOUS LOGON. I would like to stop that service "NT LM Security Support Provider" but it is dependant on other service including "DNS Server" serviec which I need running. Are there any patches or anyhing I can do to stop this hacker from logging in thur this process? Please help.

Thanks,
JJ

 

[TekJunkie01]

This service is used to authenticate RPC based programs that don't use standard named pipes. I really doubt that this is a hacker. If I were you, I would run a siffer and see exactly what types of communication are occurring when these alerts appear. You will probably pinpoint it to a normal app. Since this service is for security support, I think it would be pretty serious if it vulnerable to attack. There would certianly be an official announcement about this, and I have found none.

You can always disable the service, but you may find that doing so will cripple whatever app is using it for authentication. Just make sure you have a properly
configured firewall that blocks NetBIOS traffic and ports like 445 and you should be fine.

 

[jayjay66]

I'm pretty sure it's a hacker. I've mananged to trace it back to an IP residing on a university campus.

What can I do to prevent this from happening. I seem to be getting more and more each day.

Help please!

Thanks,
JJ

 

[TekJunkie01]

If you can trace the IP, maybe its time to place a call to the campus officials. I would discover what port this hacker is riding in on and block it at the firewall. I don't believe this service would be (or should be) exposed if the firewall is configured properly.

Still, I don't really think its a hacker, but better safe than sorry right? Change passwords, reduce surface exposure, properly configure your service accounts, enable auditing, etc. How have you traced this IP, just out of curiosity?

 

[jayjay66]

How do I find out which port the hacker is using??

I've changed passwords on all accounts and enabled auditing.

I've traced the IP thru DNSStuff.com

Please help!

Thanks,
JJ

 

[TekJunkie01]

Do you have a firewall in place? In order to use DNSStuff to get the geo loc, you first need the IP. Where did you find it? How have you associated this Ip with the service in question? Finally, you discover what port to block by researching which port this service listens on.

I would imagine it would be an RPC port, based on the purpose of the service. MS uses 135 for their RPC endpoints, so maybe this would be a good place to start? I'm not the most knowledgable person on this, so hopefully someone with a better understanding will chime in for you.

 

[jayjay66]

Nope, no firewall in place. I know I know I know. HOwever, I can't really put a firewall because the server needs to authenticate people as they logon (I'm using SQL Server, IIS, Win2003, VOP Radius Server, Websites, DNS's). Ican't really block any ports, users need to login to authenticate themsleves.

Getting back to the IP known. I got the IP thru Auditing which was enabled.


How do I know which service the hacker is using to exploit the system??

Any body help please...

thanks,
JJ

 

[jayjay66]

This is what I get in my Audit Log:

Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: NONE-WINXP
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 65.39.18.75
Source Port: 0

 

[TekJunkie01]

I'm sorry to have to say this, but this service is the absolute LEAST of your worries. I run most of the same services, and then some, here in my shop and all are secured behind TWO firewalls. You are only blocking off the internet, not your local net. People can still use the services.

Please believe me when I say that there IS a way to secure EVERYTHING and still maintain functionality. The truth of the matter is that you have probably already been hacked and don't even know it. If not, you will be. The answer to your question is to install a firewall. You can put countless hours into securing you current set, but in the end the door is still wide open.

A+, N+, MCSA:Messaging, MCSE