Re: strange account in Win2k

From: Maxime Ducharme (maxime@pandore-design.com)
Date: Tue May 28 2002 - 13:01:15 PDT

Next message: Daniel Hay: "Compromised Win2000 machine."

Previous message: Admiraal, J.E. (CDIV): "RE: strange account in Win2k"
In reply to: Admiraal, J.E. (CDIV): "RE: strange account in Win2k"
Next in thread: Kit: "RE: strange account in Win2k"
Reply: Kit: "RE: strange account in Win2k"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi guys,
    I saw this thing when our domain controller crashed.

The admin replaced with a completly new domain controller
which had the same IP, name & config.

When workstation started to reconnect to this new domain
controller with old settings and SID, we saw this kind of account
appear almost on all workstations.

We didnt find any way of getting it back, we had to delete and
recreate all.

If someone happen to be able to explain what exactly happends
I'd like to read about it.

Tia & bye

Max


----- Original Message -----
From: "Admiraal, J.E. (CDIV)" <J.E.Admiraalat_private>
To: "'Mark Fagan'" <Mark.Faganat_private>; <incidentsat_private>
Sent: Tuesday, May 28, 2002 1:02 PM
Subject: RE: strange account in Win2k


> These account ID's are usually domain accounts that are not (yet)
identified
> by the local machine. It could also be an account that no longer is
> recognised by the local machine.
>
> We have the same occurrences here, but waiting for a bit usually clears up
> everything to an understandable domain account ("domain\username ")
>
>
>
> -----Original Message-----
> From: Mark Fagan [mailto:Mark.Faganat_private]
> Sent: dinsdag 28 mei 2002 17:30
> To: incidentsat_private
> Subject: strange account in Win2k
>
>
> While setting additional privileges on a Win2k webserver  I noticed that
> certain privileges (logon as batch job, act as part of o/s, logon locally
> and network) were applied to a very strange account -
> *S-1-5-21-527237240-162531612-725345543-1008 which is not seen as a user
> account. Any ideas folks ?
>
> Mark Fagan
> TDA
> Esat Business
> 1 Grand Canal Quay
> Dublin 2, Ireland.
> E mark.faganat_private
> www.esatbusiness.com
>
>
>
>
>
> ************************************************************************
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the system manager.
>
> http://www.esatbusiness.com
>
> Subscribe to the Esat Business Online Magazine:
> http://www.esatbusiness.com/news/subscribe.asp
>
> Subscribe to REALISE - the online magazine from BT Ignite:
> http://www.btignite.com/realise
>
> ************************************************************************
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Daniel Hay: "Compromised Win2000 machine."
Previous message: Admiraal, J.E. (CDIV): "RE: strange account in Win2k"
In reply to: Admiraal, J.E. (CDIV): "RE: strange account in Win2k"
Next in thread: Kit: "RE: strange account in Win2k"
Reply: Kit: "RE: strange account in Win2k"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 28 2002 - 14:12:40 PDT