Hello, Well some more information would be needed. I.e. dell pc's ship with the support account active. Ed => -----Original Message----- => From: Ostfeld, Thomas [mailto:tostfeldat_private] => Sent: Thursday, January 02, 2003 3:34 PM => To: 'incidentsat_private' => Subject: Mysterious "Support" account created on Win2k server => => => One of my web servers appears to have had an intrusion. The => box is Win2k => Advanced Server, SP3, up to date on all security patches. I => first became => aware of a problem when the main website hosted on the box became => inaccessible. Checking the machine, I discovered that the => Local Security => Policy had been altered as to remove the Everyone and Local => Administrators => group from "Access this machine from the network" policy In => place was a => single local account called "Support" that I did not recognize. => => Looking into the accounts database, I discovered this account with a => description of "Built in account for providing user => support." It was also => part of the administrators group. Needless to say, this => looked suspicious, => so I locked the server back down and set up intrusion => detection to look for => further attempts to exploit the account. => => I know approximately when the attack occurred, but I am => still puzzled as to => how it was done. The web logs show the usual IIS root => exploit attempts, but => those all fail. Everything else looks normal. I've scoured => the machine => pretty thoroughly for bots, trojans, viruses, hidden and => altered files, and => have so far come up empty. No weird open ports either. => => Has anyone seen this before? There is one or two postings => of the same => nature on Google, but little else to give me something to go on. => => Tom Ostfeld => Knowledge Impact => Ostfeld7 (AIM) => => => ------------------------------------------------------------- => --------------- => This list is provided by the SecurityFocus ARIS analyzer service. => For more information on this free incident handling, management => and tracking system please see: http://aris.securityfocus.com => => => --- => Incoming mail is certified Virus Free. => Checked by AVG anti-virus system (http://www.grisoft.com). => Version: 6.0.435 / Virus Database: 244 - Release Date: 12/30/2002 => => --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.435 / Virus Database: 244 - Release Date: 12/30/2002 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 02 2003 - 18:46:52 PST