Hail, I have a Windows 2000 Server machine with a real IP address and 3389/tcp available. Since this morning, I've noticed lots of attempts (Security Eventlog) of someone trying to change the TsInternetUser password (no success, only failures). I would like to know if there are any utilities that would enable someone to change this password (I think not), or any known attacks that might use any vulnerability in TS that would enable someone to gain access through this account. The W2K server is fully patched. Any ideas ? I temporarily configured TS to only accept connections from the internal network until I can find out the possibilities. What is intriguing me is the fact that until now, I thought that anyone must be logged on to try to change a password. And only one user has TS granted (since this user is admin equiv, I don't think that it has been compromised: since it is admin equiv, if someone does know it's password, a natural course of action would be simply to create a new account). Thanks in advance, Romulo M. Cholewa Home : http://www.rmc.eti.br Forum: http://zeus.rmc.eti.br/forum PGP Keys Available @ website. "Everything should be made as simple as possible, but not simpler." -- Albert Einstein ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Dec 15 2002 - 13:25:42 PST