Mysterious Domain Appears...

[Doc]

Archived from groups: microsoft.public.windowsnt.domain (More info?)

Was looking at a client's network this afternoon, behind a natted
CISCO with some other twists (no telnet enabled, hash p/ws,
some publics redirected to privates behind the router)
and suddenly, in Windows Explorer/network neigh. saw a
'rogue' DOMAIN... we have ONLY one domain, this 'new' one
appeared and, while in NT4 the trusts are more difficult,
I believe I determined that there was no 'trust' relationship.
But I could not rid our network of it "UNTIL" I disconnected
our T1 line... then it was gone instantly.

We made some changes to the router and passwords and enabled
more logging but ANYONE have ANY IDEA what kind of 'hack' that
could've been? Or even if it 'really' was a hack. Our password
complexity is very high, indeed we have even restricted the
administrator from NOT being able to access the 'sensitive'
data... but it kinda made me restless... Ideas gratefully
received. Thanks.
--
Rich "Doc" Colley

mailto: pc-dc-doc@nospam.comcast.net

 

[Guest]

Archived from groups: microsoft.public.windowsnt.domain (More info?)

In order for an outside name to show up in the list the
firewall must allow NetBIOS packets in which would
defeat its purpose entirely. Could you double click on
the domain and get a valid response? Did you try to
resolve the tcp/ip address of the rogue domain? A
machine which is not a domain member rather logging
in locally to the computer will register the computer
name as a workgroup/domain.

"Doc" <pc-dc-doc@nospam.comcast.net> wrote in message news
> Was looking at a client's network this afternoon, behind a natted
> CISCO with some other twists (no telnet enabled, hash p/ws,
> some publics redirected to privates behind the router)
> and suddenly, in Windows Explorer/network neigh. saw a
> 'rogue' DOMAIN... we have ONLY one domain, this 'new' one
> appeared and, while in NT4 the trusts are more difficult,
> I believe I determined that there was no 'trust' relationship.
> But I could not rid our network of it "UNTIL" I disconnected
> our T1 line... then it was gone instantly.
>
> We made some changes to the router and passwords and enabled
> more logging but ANYONE have ANY IDEA what kind of 'hack' that
> could've been? Or even if it 'really' was a hack. Our password
> complexity is very high, indeed we have even restricted the
> administrator from NOT being able to access the 'sensitive'
> data... but it kinda made me restless... Ideas gratefully
> received. Thanks.

 

[Doc]

Archived from groups: microsoft.public.windowsnt.domain (More info?)

Michael Giorgio - MS MVP typed this:

> In order for an outside name to show up in the list the
> firewall must allow NetBIOS packets in which would
> defeat its purpose entirely. Could you double click on
> the domain and get a valid response? Did you try to
> resolve the tcp/ip address of the rogue domain? A
> machine which is not a domain member rather logging
> in locally to the computer will register the computer
> name as a workgroup/domain.


Believe that the CISCO is blocking NetBIOS but will double
check immediately...
Double clicking got a constant hour glass and finally an
empty 'browse' window... we could NOT determine the IP
address. Did not show up in NTBStats or anything... even
a google search with .com, .org, .net , etc, brought no
clues as to who...
INTERESTING... the last line, a machine not a domain member
logging in locally ... we had ONE visitor on the evening of
the day prior that was attached to our network... no login,
not even as a guest, but connected for Internet access only.
I am wondering if that would've done something? But the
disconnect from the 'internet' and the quick 'bye-bye' of
the weird domain leaves me suspicious. I'll really check the
NetBios allowance... need to reconfigure the cisco anyway, yuk.
Other ideas greatly appreciated!! THANK YOU very much.

















> "Doc" <pc-dc-doc@nospam.comcast.net> wrote in message news
>
>>Was looking at a client's network this afternoon, behind a natted
>>CISCO with some other twists (no telnet enabled, hash p/ws,
>>some publics redirected to privates behind the router)
>>and suddenly, in Windows Explorer/network neigh. saw a
>>'rogue' DOMAIN... we have ONLY one domain, this 'new' one
>>appeared and, while in NT4 the trusts are more difficult,
>>I believe I determined that there was no 'trust' relationship.
>>But I could not rid our network of it "UNTIL" I disconnected
>>our T1 line... then it was gone instantly.
>>
>>We made some changes to the router and passwords and enabled
>>more logging but ANYONE have ANY IDEA what kind of 'hack' that
>>could've been? Or even if it 'really' was a hack. Our password
>>complexity is very high, indeed we have even restricted the
>>administrator from NOT being able to access the 'sensitive'
>>data... but it kinda made me restless... Ideas gratefully
>>received. Thanks.


--
Rich "Doc" Colley

mailto: pc-dc-doc@nospam.comcast.net

 

[Guest]

Archived from groups: microsoft.public.windowsnt.domain (More info?)

"Doc" <pc-dc-doc@nospam.comcast.net> wrote in message news
> Michael Giorgio - MS MVP typed this:
>
> > In order for an outside name to show up in the list the
> > firewall must allow NetBIOS packets in which would
> > defeat its purpose entirely. Could you double click on
> > the domain and get a valid response? Did you try to
> > resolve the tcp/ip address of the rogue domain? A
> > machine which is not a domain member rather logging
> > in locally to the computer will register the computer
> > name as a workgroup/domain.
>
>
> Believe that the CISCO is blocking NetBIOS but will double
> check immediately...
> Double clicking got a constant hour glass and finally an
> empty 'browse' window... we could NOT determine the IP
> address. Did not show up in NTBStats or anything... even
> a google search with .com, .org, .net , etc, brought no
> clues as to who...
> INTERESTING... the last line, a machine not a domain member
> logging in locally ... we had ONE visitor on the evening of
> the day prior that was attached to our network... no login,
> not even as a guest, but connected for Internet access only.
> I am wondering if that would've done something? But the
> disconnect from the 'internet' and the quick 'bye-bye' of
> the weird domain leaves me suspicious. I'll really check the
> NetBios allowance... need to reconfigure the cisco anyway, yuk.
> Other ideas greatly appreciated!! THANK YOU very much.
>

By default the firewall will block this type of access to your network
becuase that is it's main function but if you can telnet to it and run
show config you can verify this.

I'd be willing to bet that client computer is responsible for the
rogue domain/workgroup. If you can find out the computer
you should be able to verify.

 

[Doc]

Archived from groups: microsoft.public.windowsnt.domain (More info?)

Michael Giorgio - MS MVP typed this:

> "Doc" <pc-dc-doc@nospam.comcast.net> wrote in message news
>
>>Michael Giorgio - MS MVP typed this:
>>
>>
>>>In order for an outside name to show up in the list the
>>>firewall must allow NetBIOS packets in which would
>>>defeat its purpose entirely. Could you double click on
>>>the domain and get a valid response? Did you try to
>>>resolve the tcp/ip address of the rogue domain? A
>>>machine which is not a domain member rather logging
>>>in locally to the computer will register the computer
>>>name as a workgroup/domain.
>>
>>
>>Believe that the CISCO is blocking NetBIOS but will double
>>check immediately...
>>Double clicking got a constant hour glass and finally an
>>empty 'browse' window... we could NOT determine the IP
>>address. Did not show up in NTBStats or anything... even
>>a google search with .com, .org, .net , etc, brought no
>>clues as to who...
>>INTERESTING... the last line, a machine not a domain member
>>logging in locally ... we had ONE visitor on the evening of
>>the day prior that was attached to our network... no login,
>>not even as a guest, but connected for Internet access only.
>>I am wondering if that would've done something? But the
>>disconnect from the 'internet' and the quick 'bye-bye' of
>>the weird domain leaves me suspicious. I'll really check the
>>NetBios allowance... need to reconfigure the cisco anyway, yuk.
>>Other ideas greatly appreciated!! THANK YOU very much.
>>
>
> By default the firewall will block this type of access to your network
> becuase that is it's main function but if you can telnet to it and run
> show config you can verify this.
>
> I'd be willing to bet that client computer is responsible for the
> rogue domain/workgroup. If you can find out the computer
> you should be able to verify.

You are (were) so RIGHT. I found out that the ONE visitor's name
was the same as the rogue DOMAIN. That was the culprit. About to
begin setting up a (previously) purchased SonicWall 230-Pro...
will allow the Cisco 2620 to run through with some exceptions
and do most of the Firewalling thru the faster SonicWall...

Many thanks for the heads up.




--
Rich "Doc" Colley

mailto: pc-dc-doc@nospam.comcast.net

 

[Guest]

Archived from groups: microsoft.public.windowsnt.domain (More info?)

Glad to help Doc and thank
you for the update. A firewall
is a good idea .

Doc" <pc-dc-doc@nospam.comcast.net> wrote in message > >
> > I'd be willing to bet that client computer is responsible for the
> > rogue domain/workgroup. If you can find out the computer
> > you should be able to verify.
>
> You are (were) so RIGHT. I found out that the ONE visitor's name
> was the same as the rogue DOMAIN. That was the culprit. About to
> begin setting up a (previously) purchased SonicWall 230-Pro...
> will allow the Cisco 2620 to run through with some exceptions
> and do most of the Firewalling thru the faster SonicWall...
>
> Many thanks for the heads up.

 

[Guest]

Archived from groups: microsoft.public.windowsnt.domain (More info?)

"Doc" <pc-dc-doc@nospam.comcast.net> wrote in message
news:eJe6THecEHA.3792@TK2MSFTNGP09.phx.gbl...

> You are (were) so RIGHT. I found out that the ONE visitor's name
> was the same as the rogue DOMAIN. That was the culprit. About to
> begin setting up a (previously) purchased SonicWall 230-Pro...
> will allow the Cisco 2620 to run through with some exceptions
> and do most of the Firewalling thru the faster SonicWall...
>
> Many thanks for the heads up.
>
>
>
>
> --
> Rich "Doc" Colley
>
> mailto: pc-dc-doc@nospam.comcast.net


You can have all the firewalls you want but if someone can plug their laptop
into the network, boom its connected to you