Hi, While I agree with the majority of what you are saying Etaoin, was all that necessary? >If some moron renamed it <the administrator account>, the above stuff with Retina will still work It should, but wouldn't that *moron* be doing the right thing? LiNERROR, if the "Users and Computers" applet of "Computer Management" doesn't show you the admin account, then download a couple of other tools to see if they show using them, userdump (hammerofgod.com) springs to mind. How did you successfully authenticate using those 3 pwds? Did you log on interactively or remotely? winter -----Original Message----- From: shrdluat_private [mailto:shrdluat_private] On Behalf Of Etaoin Shrdlu Sent: Monday, 14 July 2003 4:04 AM To: Incidents List Subject: Re: more info on a hopefully unsuccessful compromise LiNERROR wrote: > > upon running an audit on one of my networks Retina 4.90 discovered two > systems, running windows 2000 pro, with sp3 and all updates with what > appeared to be multiple administrator accounts. No. This is what happens when users assume the task of auditing, rather than leaving it to the professionals. I suspect that you read NONE of the very helpful replies to your previous post, as well. To make absolutely sure that you understand, I will address each of the logs (these are NOT phantom accounts, btw, it's the Administrator account, and it belongs). > snip --- > Accounts: User: Administrator Pass: rotartsinimdA - Account password > reverse of account Here is Retina trying the word administrator backwards. Since the account has NO PASSWORD, it succeeds, and incorrectly logs the password as valid. > Accounts: User: Administrator Pass: Administrator - Account password > same as account Here is Retina trying the word administrator forwards. Since the account has NO PASSWORD, it succeeds, and incorrectly logs the password as valid. > Accounts: User: Administrator Pass: - Account with no password snip > --- Here's the log entry that is meaningful. You have an ADMINISTRATOR account with no password. What were you thinking? Put a good password on the administrator account, and be done with it. I'd suggest that a little reading from the Microsoft site, or from any book not containing the title words "21 days" or "dummies" would be of great benefit to you. I'd also suggest that a part time administrator to assist you with your machines would be helpful. > However the system shows no evidence of these accounts in the user > manager... but the accounts are there. No, no, no. The Administrator account is supposed to be there. If some moron renamed it, the above stuff with Retina will still work. Look at the users, under the manage menu. If there is no Administrator account, then check by the properties menu to see what group(s) the accounts are members of. The administrator account is traditionally a member of only the Administrators group (kind of reminds you of setprv on VMS, hmmmmmm), but that's all it needs. Check EACH account. There may be more than one account with administrator privileges. If so, then you need to check the (sorry, I don't remember the wintel equivalent offhand of UID) specific identifier to see which was created first. The oldest is the real Administrator. Rename it back to Administrator, and give it a damned password. -- I cannot help fearing that men may reach a point where they look on every new theory as a danger, every innovation as a toilsome trouble, every social advance as a first step toward revolution, and that they may absolutely refuse to move at all. (Alexis de Toqueville) ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Jul 14 2003 - 09:56:49 PDT