LiNERROR, I think you've posted this before to the list... First off, all three of the "accounts" you have listed have the same username...Administrator. Yes, it is a mystery as to why you can connect to this/these account(s) with any of the three password configurations. In your previous post, you did not specify what is the difference between these accounts...the account names are all spelled the same way, so they are presumably the same account...correct? And you're also saying that there is no Administrator account in the User Manager...correct? Since Administrator is the default name of the account w/ an RID of 500, one then has to ask, did you change the name of the default Administrator account? Perhaps the reason for your repost is a lack of responses to your first post. If that is the case, maybe providing some additional information your part would be helpful. After all, you state that these accounts do not exist in the User Manager, but then you later state that you tried to disable the Administrator account and could not. It would seem to be me that both of the conditions cannot exist. Harlan --- LiNERROR <linerrorat_private> wrote: > upon running an audit on one of my networks Retina > 4.90 discovered two > systems, running windows 2000 pro, with sp3 and all > updates with what > appeared to be multiple administrator accounts. > snip --- > Accounts: User: Administrator Pass: rotartsinimdA - > Account password > reverse of account > Accounts: User: Administrator Pass: Administrator - > Account password same > as account > Accounts: User: Administrator Pass: - Account with > no password > snip --- > However the system shows no evidence of these > accounts in the user > manager... but the accounts are there. > i can connect to the system using my specified > Account and password... AND > the three above. > Only these two machines have ghost accounts that i > know of, due to my > network setup i do not think anything has owned > these to machines just > yet... i checked my traffic logs and nothing has > left these two machines > over the network. > > > I've never seen this before and was wondering if > anyone knew anything than > might help me figure out what has cause this and > 1.) how i can remove these ghost accounts? (they > don't show up under the > user manager) > 2.) how would i be able to find other ghost accounts > since Retina only > scans for default accounts? > 3.) How can i DISABLE the administrator account in > 2k? (i get an error > message when i try and disable it that the account > can not be disabled) > > All help is appreciated > > > > > > > ---------------------------------------------------------------------------- > Attend the Black Hat Briefings & Training, July 28 - > 31 in Las Vegas, the > world's premier technical IT security event! 10 > tracks, 15 training sessions, > 1,800 delegates from 30 nations including all of the > top experts, from CSO's to > "underground" security specialists. See for > yourself what the buzz is about! > Early-bird registration ends July 3. This event > will sell out. www.blackhat.com > ---------------------------------------------------------------------------- > __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Jul 14 2003 - 09:36:27 PDT