Re: more info on a hopefully unsuccessful compromise

From: Harlan Carvey (keydet89at_private)
Date: Mon Jul 14 2003 - 12:04:10 PDT

Next message: sgt_b: "www.google.com reference in directory-traversal attack"

Previous message: Dozal, Tim: "RE: more info on a hopefully unsuccessful compromise"
In reply to: LiNERROR: "Re: more info on a hopefully unsuccessful compromise"
Next in thread: Sergey Latkin: "Re: more info on a hopefully unsuccessful compromise"
Next in thread: Dial Joe: "RE: more info on a hopefully unsuccessful compromise"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> the difference between the accounts is almost
> none... 1 is the default 
> admin account with a strong password that shows up
> in the user manager. the 
> other three should not be there, and are not in the
> user manager, yet, you 
> can still access the system with the use of one of
> the three "ghost" accounts.

Okay, this doesn't make much sense at all...b/c the
name of the account that Retina found is
"Administrator" in all three cases.  

So what you're saying is that the default
Administrator account, with the name "Administrator",
can be accessed via the strong password you provided
it with, as well as these three others that Retina
reported.
 
> it's a little of setting to come in one day and find
> two systems on the 
> back waters of your network with the ability to be
> connected to with 3 passwords you never set.

Understood...and I'm sure you meant "upsetting",
rather than "of setting". 

> I tried to disable the default admin account in an
> attempt to perhaps lock 
> out the "ghost" accounts. however when i tried to i
> was presented with a 
> lovely message that the admin account can not be
> diabled.

Again, according to Retina, the default admin account
IS the "ghost" accounts.
 
> presently there are 4 sets of login/password  that
> can login to the systems
> admin with my password
> admin with admin reversed
> admin with admin and
> admin with nothing...

Please be more clear/specific.  According to your
previous posts, the account found by Retina is
"Administrator", not "admin".  What is the name of the
other "admin" account?
 
> i am not aware of 2k having the ability to have one
> account with multiple 
> passwords... and if i am mistake how would i disable
> the other passwords.

It's not...clearly indicates an issue of some kind. 
I'd like to ask that you dump the contents of the
WinLogon key (please do NOT copy them...dump them and
provide ALL information) and either send it to me, or
post it to the list.  There may be a trojaned GINA at
work here...

Thanks,

Harlan

__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Next message: sgt_b: "www.google.com reference in directory-traversal attack"
Previous message: Dozal, Tim: "RE: more info on a hopefully unsuccessful compromise"
In reply to: LiNERROR: "Re: more info on a hopefully unsuccessful compromise"
Next in thread: Sergey Latkin: "Re: more info on a hopefully unsuccessful compromise"
Next in thread: Dial Joe: "RE: more info on a hopefully unsuccessful compromise"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 14 2003 - 13:23:57 PDT