Once a worm/trojan or an attacker successfully connect to a system via port 445 and guessed the administrator ID and weak passwords, the system is fully owned by the worm/trojan/attackers. Once a system is compromised with an administrator account, the attackers/worms/Trojans have full access to the system, including creating an account. An account can be easily created by using command line tools that comes with Windows 2000 resource kit or third party tools. Check out the article http://www.win2000mag.net/Articles/Index.cfm?ArticleID=16426. Kyle Lai, CISSP, CISA KLC Consulting, Inc. 617-921-5410 klaiat_private www.klcconsulting.net -----Original Message----- From: H C [mailto:keydet89at_private] Sent: Friday, January 03, 2003 2:11 PM To: kyleat_private; Matthew Cole; Scott Fendley Cc: incidentsat_private Subject: RE: Mysterious "Support" account created on Win2k server --- kyleat_private wrote: > port 445 worm/virus/Trojans are the ones spread via > SMB over TCP, port 445, > using "net use \\[machine]\ipc$. The Trojans > include password dictionaries > for guessing admin ids and passwords. However, that doesn't address the creation of the account...it only addresses the fact that Scott had a typo in his post. [snip] > -----Original Message----- > From: Scott Fendley [mailto:scottfat_private] > Sent: Thursday, January 02, 2003 3:03 PM > To: Ostfeld, Thomas > Cc: 'incidentsat_private' > Subject: Re: Mysterious "Support" account created on > Win2k server > > I have seen a number of these. In every case I have > found on our > campus, > there was a user account with power user or > administrative access that > had > an extremely weak password. The intruder would "net > use" through that > account to create another admin account (support in > this case) for him to use. Uhm...no, he wouldn't. He'd have to use "net user"..."net use" does NOT allow for the creation of accounts. Could be a typo, I know, but the difference of one letter is significant. > ...daemon with an innocuous > looking name like winasp, > lsasss.exe, wimlogon.exe or something else that > looks close to actual legit processes. While "wimlogon" may look close to legit, I would hope that admins are smart enough that seeing that will raise the hackles on the backs of their necks. In fact, the process can be running w/ a legit name, like "svchost.exe", but using tools like listdlls.exe will show that the executable image is located in a directory other than system32. > I would check to verify that all the accounts have > appropriately significant passwords on them. Would you suggest using L0phtcrack? > Also, I would check the event log to see > if there is a gapping hole in time where logged > entries do not exist any more. Wouldn't this really depend on what exactly is being logged? If auditing isn't enabled and there are no significant apps that log to the EventLog (a/v, for example) then there can be days or weeks between entries. > This is the first i have seen exactly like this, but > it is similar enough > to ones i have been fighting on campus for the past > few months to call it coincidence. I wouldn't call it a coincidence, Scott, I'd call it the nature of the beast when it comes to a campus. To Thomas, > > I know approximately when the attack occurred, but > I am still puzzled > as to > > how it was done. The web logs show the usual IIS > root exploit > attempts, but > > those all fail. Everything else looks normal. > I've scoured the > machine > > pretty thoroughly for bots, trojans, viruses, > hidden and altered > files, and > > have so far come up empty. No weird open ports > either. I wish we knew more about what you did to scour the machine, and what tools you used. By understanding your methodology and tools, perhaps an error would be uncovered, or a better way recommended. Too many times, I've seen admins modify data *before* accessing it, simply b/c they didn't know. When you say "no weird open ports", what do you mean? Did you run fport? If so, what did it find? Netcat renamed to "inetinfo.exe" and bound to port 80 isn't "weird" at all...but is a remote shell nonetheless. __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.435 / Virus Database: 244 - Release Date: 12/30/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.435 / Virus Database: 244 - Release Date: 12/30/2002 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 18:50:39 PST