RE: Mysterious "Support" account created on Win2k server

From: Ed Street (blacknetat_private)
Date: Thu Jan 02 2003 - 13:07:00 PST

Next message: Stephen P. Berry: "Re: RPAT - Realtime Proxy Abuse Triangulation"

Previous message: Stephen J. Friedl: "Re: RPAT - Realtime Proxy Abuse Triangulation"
Next in thread: kyleat_private: "RE: Mysterious "Support" account created on Win2k server"
Next in thread: Scott Fendley: "Re: Mysterious "Support" account created on Win2k server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

Well some more information would be needed.  I.e. dell pc's ship with
the support account active.

Ed


=> -----Original Message-----
=> From: Ostfeld, Thomas [mailto:tostfeldat_private] 
=> Sent: Thursday, January 02, 2003 3:34 PM
=> To: 'incidentsat_private'
=> Subject: Mysterious "Support" account created on Win2k server
=> 
=> 
=> One of my web servers appears to have had an intrusion.  The 
=> box is Win2k
=> Advanced Server, SP3, up to date on all security patches.  I 
=> first became
=> aware of a problem when the main website hosted on the box became
=> inaccessible.  Checking the machine, I discovered that the 
=> Local Security
=> Policy had been altered as to remove the Everyone and Local 
=> Administrators
=> group from "Access this machine from the network" policy  In 
=> place was a
=> single local account called "Support" that I did not recognize.
=> 
=> Looking into the accounts database, I discovered this account with a
=> description of "Built in account for providing user 
=> support."  It was also
=> part of the administrators group.  Needless to say, this 
=> looked suspicious,
=> so I locked the server back down and set up intrusion 
=> detection to look for
=> further attempts to exploit the account.
=> 
=> I know approximately when the attack occurred, but I am 
=> still puzzled as to
=> how it was done.  The web logs show the usual IIS root 
=> exploit attempts, but
=> those all fail.  Everything else looks normal.  I've scoured 
=> the machine
=> pretty thoroughly for bots, trojans, viruses, hidden and 
=> altered files, and
=> have so far come up empty.  No weird open ports either.
=> 
=> Has anyone seen this before?  There is one or two postings 
=> of the same
=> nature on Google, but little else to give me something to go on.
=> 
=> Tom Ostfeld
=> Knowledge Impact
=> Ostfeld7 (AIM)
=> 
=> 
=> -------------------------------------------------------------
=> ---------------
=> This list is provided by the SecurityFocus ARIS analyzer service.
=> For more information on this free incident handling, management 
=> and tracking system please see: http://aris.securityfocus.com
=> 
=> 
=> ---
=> Incoming mail is certified Virus Free.
=> Checked by AVG anti-virus system (http://www.grisoft.com).
=> Version: 6.0.435 / Virus Database: 244 - Release Date: 12/30/2002
=>  
=> 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.435 / Virus Database: 244 - Release Date: 12/30/2002
 


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Stephen P. Berry: "Re: RPAT - Realtime Proxy Abuse Triangulation"
Previous message: Stephen J. Friedl: "Re: RPAT - Realtime Proxy Abuse Triangulation"
Next in thread: kyleat_private: "RE: Mysterious "Support" account created on Win2k server"
Next in thread: Scott Fendley: "Re: Mysterious "Support" account created on Win2k server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 02 2003 - 18:46:52 PST