Re: strange account in Win2k

From: Kevin (kevinat_private)
Date: Tue May 28 2002 - 14:20:13 PDT

  • Next message: H C: "Re: Compromised Win2000 machine."

    I have seen this before as well.  I know that this sounds strange but could you
    detect a change in hair color of the icon?  Grey hair representsan account that
    has been modified but replication has not yet been completed.
    
    A SID of 1008 at the end usually represents an account that us user defined.  The
    group membership of the account is interesting.  The "Network" group is a System
    related group that is self generated like the everyone group as well as the
    interactive group.
    
    I might be a little in left field but a sid ending in 1008 is the 7th account you
    created.  You might want to run user2sid/sid2user to determine which acount it
    was.
    
    my 2 cents.
    
    kevin
    
    
    Dan Cuthbert wrote:
    
    > Is this machine part of a Domain? if so that is normally the domain acc
    >
    > * Mark Fagan (Mark.Faganat_private) Tapped away:
    > > While setting additional privileges on a Win2k webserver  I noticed that
    > > certain privileges (logon as batch job, act as part of o/s, logon locally
    > > and network) were applied to a very strange account -
    > > *S-1-5-21-527237240-162531612-725345543-1008 which is not seen as a user
    > > account. Any ideas folks ?
    > >
    > >               Mark Fagan
    > >               TDA
    > >               Esat Business
    > >               1 Grand Canal Quay
    > >               Dublin 2, Ireland.
    > >               E mark.faganat_private
    > >               www.esatbusiness.com
    > >
    > >
    > >
    > >
    > >
    > > ************************************************************************
    > > This email and any files transmitted with it are confidential and intended
    > > solely for the use of the individual or entity to whom they are addressed.
    > > If you have received this email in error please notify the system manager.
    > >
    > > http://www.esatbusiness.com
    > >
    > > Subscribe to the Esat Business Online Magazine:
    > > http://www.esatbusiness.com/news/subscribe.asp
    > >
    > > Subscribe to REALISE - the online magazine from BT Ignite:
    > > http://www.btignite.com/realise
    > >
    > > ************************************************************************
    > >
    > >
    > > ----------------------------------------------------------------------------
    > > This list is provided by the SecurityFocus ARIS analyzer service.
    > > For more information on this free incident handling, management
    > > and tracking system please see: http://aris.securityfocus.com
    > >
    >
    > Dan Cuthbert
    > Network Security Consultant
    > IdSec
    > Key fingerprint = 9BFB 60F1 1B46 F9F0 4E2C  84A6 8D04 E771 54A6 1116
    >
    > ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    
    --
    v/r
    
    Kevin Steiner
    MCT, MCSE, MCSA, MCDBA
    
    -----BEGIN PGP PUBLIC KEY BLOCK-----
    Version: PGP 6.5.8
    
    mQENAzzM1coAtAEIAMqRBVu8bA/eEEcqGyFQ0pwuc22wvV5cpeE5LVcgjwXabdV1
    A3pVzEAJsuGTrq77VcQTwusmCcZPErQXx0IQRyIrWRm0oukJsN7ZR3k5uv58F26G
    8JUW2TYzBGmpb0EzR/LphNqG71958ZEvWaxS6Ks1FCyopU51MmF7daDJ89pXrCwY
    lXp2pojKFP+aqYZ+abGRXNyNrRhfsmmIo+Vl5jZ/5INPuWThI1J1wj8eyQiVeXAc
    V9ZuTKxWGPnRkWiuwLl3lEkQtDqcYcGM+FOgxfhMHb97jYF5kbFTmpLs4BRroqNp
    i6B4dMRZgGx1d/0jDpmQ0zkHR3akTv4W7qK4ogUABRG0JEtldmluIFQuIFN0ZWlu
    ZXIgPGtldmluQGt0c3RvbmUuY29tPokBFQMFEDzM1cpO/hbuoriiBQEBXn8H/iGw
    RBEq/tCJdm3BPq/Gf8vA3872QM3c9ri90NgP9Ixh//Mxp8F+57nsjp/2fcOQs3xl
    g9gwGENc4Q8iDJgnMF3vfyeI/VL/XZfHJqEfDAASU3SLJca4qC0NISMF4B7L8OrQ
    d86oGjUczBcofZQJEUhfvc3ztbNoPm4+xZKWDgtIrpiqdYGTMd5Vr3P0ImKQnpSm
    JVr8r3Cb5YZteRRsDNuTlGuOPIqIKyc10TH5r0g50j953oZbIlA2EtTOrLIqccHH
    r/kZrO9Y6Rl6lCLLW36QkUXAJWJGFIlb6n5fHUboUFdTPx+/S/BfV1LIQdanmn2v
    8hlIbwRF7gqIQQDIFKY=
    =DD3g
    -----END PGP PUBLIC KEY BLOCK-----
    
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue May 28 2002 - 15:06:07 PDT