You may be able to create a new account on the host and set it with full administrator privileges on the local machine (and domain if present) then disable/remove the administrator account you're having problems with. I believe the reason you're unable to disable/remove the current admin account is Windows requires that there be at least one local machine administrative account. This doesn't answer the how's or why's of your current problem but it may fix the problem and at least let you see if by removing the current admin account you are able to remove all three other versions of the account. Tim -----Original Message----- From: LiNERROR [mailto:linerrorat_private] Sent: Sunday, July 13, 2003 9:54 PM To: incidentsat_private Subject: Re: more info on a hopefully unsuccessful compromise once again... someone assumes that they know everything, and that everyone they talk to is a moron. shall address all points you tried to make here... >Here is Retina trying the word administrator backwards. Since the account >has NO PASSWORD, it succeeds, and incorrectly logs the password as valid. incorrect. The password is not blank. random garbage does not work... only my admin password and the other three work. >Here is Retina trying the word administrator forwards. Since the account >has NO PASSWORD, it succeeds, and incorrectly logs the password as valid. incorrect. The password is not blank. random garbage does not work... only my admin password and the other three work. >Here's the log entry that is meaningful. You have an ADMINISTRATOR account >with no password. What were you thinking? Put a good password on the >administrator account, and be done with it. I'd suggest that a little >reading from the Microsoft site, or from any book not containing the title >words "21 days" or "dummies" would be of great benefit to you. I'd also >suggest that a part time administrator to assist you with your machines >would be helpful. i do have a good password... and a STRONG password policy. this is the incidents security focus mailing list... not some yahoo general help forum... if i wanted to ask a part time admin with skills involving the abilit to install nt backoffice server and actually start exchange server i doubt he would be any help, considering these are the kinds of people that i replace when a company realises they need something better than an 30 year old systems janator who has problems applying service packs and updates in a timely and site wide manner... >No, no, no. The Administrator account is supposed to be there. If some >moron renamed it, the above stuff with Retina will still work. The "administrator" account is setup as a default... changing the name of the admin account to something a little less standard is helpful in many ways, specificly in keeping the brute forcers at bay throwing. >Look at the >users, under the manage menu. If there is no Administrator account, then >check by the properties menu to see what group(s) the accounts are members >of. The administrator account is traditionally a member of only the >Administrators group (kind of reminds you of setprv on VMS, hmmmmmm), but >that's all it needs. Check EACH account. There may be more than one account >with administrator privileges. If so, then you need to check the (sorry, I >don't remember the wintel equivalent offhand of UID) specific identifier to >see which was created first. The oldest is the real Administrator. Rename >it back to Administrator, and give it a damned password. once again... it has a password... and there is only one account and that is the admins... LiNE --- If somebody really wants to break your security model, and has the cleverness and resources to do it, they'll do it. I mean, we have all these guys in Bulgaria who, rather than wait line for bread, are sitting around trying to crack code. - Don DePalma At 11:04 AM 7/13/2003 -0700, you wrote: >LiNERROR wrote: > > > > upon running an audit on one of my networks Retina 4.90 discovered two > > systems, running windows 2000 pro, with sp3 and all updates with what > > appeared to be multiple administrator accounts. > >No. This is what happens when users assume the task of auditing, rather >than leaving it to the professionals. I suspect that you read NONE of the >very helpful replies to your previous post, as well. To make absolutely >sure that you understand, I will address each of the logs (these are NOT >phantom accounts, btw, it's the Administrator account, and it belongs). > > > snip --- > > Accounts: User: Administrator Pass: rotartsinimdA - Account password > > reverse of account > >Here is Retina trying the word administrator backwards. Since the account >has NO PASSWORD, it succeeds, and incorrectly logs the password as valid. > > > Accounts: User: Administrator Pass: Administrator - Account password same > > as account > >Here is Retina trying the word administrator forwards. Since the account >has NO PASSWORD, it succeeds, and incorrectly logs the password as valid. > > > Accounts: User: Administrator Pass: - Account with no password > > snip --- > >Here's the log entry that is meaningful. You have an ADMINISTRATOR account >with no password. What were you thinking? Put a good password on the >administrator account, and be done with it. I'd suggest that a little >reading from the Microsoft site, or from any book not containing the title >words "21 days" or "dummies" would be of great benefit to you. I'd also >suggest that a part time administrator to assist you with your machines >would be helpful. > > > However the system shows no evidence of these accounts in the user > > manager... but the accounts are there. > >No, no, no. The Administrator account is supposed to be there. If some >moron renamed it, the above stuff with Retina will still work. Look at the >users, under the manage menu. If there is no Administrator account, then >check by the properties menu to see what group(s) the accounts are members >of. The administrator account is traditionally a member of only the >Administrators group (kind of reminds you of setprv on VMS, hmmmmmm), but >that's all it needs. Check EACH account. There may be more than one account >with administrator privileges. If so, then you need to check the (sorry, I >don't remember the wintel equivalent offhand of UID) specific identifier to >see which was created first. The oldest is the real Administrator. Rename >it back to Administrator, and give it a damned password. > >-- >I cannot help fearing that men may reach a point where they look on >every new theory as a danger, every innovation as a toilsome trouble, >every social advance as a first step toward revolution, and that they >may absolutely refuse to move at all. (Alexis de Toqueville) > >----------------------------------------------------------------------- ----- >Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the >world's premier technical IT security event! 10 tracks, 15 training sessions, >1,800 delegates from 30 nations including all of the top experts, from >CSO's to >"underground" security specialists. See for yourself what the buzz is >about! >Early-bird registration ends July 3. This event will sell out. >www.blackhat.com >----------------------------------------------------------------------- ----- ------------------------------------------------------------------------ ---- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ------------------------------------------------------------------------ ---- ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Jul 14 2003 - 13:15:29 PDT