Security Basics mailing list archives
Re: unknown user on home computer
From: p1g <killfactory () gmail com>
Date: Mon, 3 Mar 2008 19:08:11 -0500
peform a system restore =) On 3/1/08, Margaret Wolfe-Roberts <margaret_wolfe () mindspring com> wrote:
Hello, I am a home user with one laptop and one desktop and I'm hoping you can help me with a security concern. Recently I installed a router in order to share the Internet connection. In the process of learning to enable File Sharing I clicked on some stuff and the desktop generated a list of users that includes a username I have never seen before, a strange one called "ratnkwCNHERF". When I did a whole-computer search to find out more, the search generated a list of three files where the same term is used, all in the C://SWSHARE folder. I checked the three files: egathcmp.xml, egath.xml and eGathComp.html (Firefox doc). They seem to be reviews of the overall system. It's possible I have utilized some online program to gather information on my system which created those files. The html file is entitled Gathered Information for [computer name] and includes this information about users: Workstation Security • User Accounts User ID/Name/Password Set/Password age in days/Privilege Level/Disabled/Password Not Required/Cannot Change Password/Locked Out/ Password Never Expires/Password Expired 2700 true 97 Administrator false true false false true false Administrator true 480 Administrator true false false false true false David David true 0 User false false false false true false Guest true 0 Guest false true true false true false od2700 Margaret true 97 User false true false false true false ratnkwCNHERF ratnkwCNHERF true 55 Administrator false false false false false true Here I find out that the "rat" user has Administrator privileges and appears to have had a password created AFTER I set passwords for myself and the administrator account as I know it –the "2700" account (password age 55 days vs 97 days). I purchased the computer last October from Office Depot. However, the table also indicates the "rat" user's password is expired, though the account is not disabled. I also notice that there is an extra Administrator account (now disabled) listed separately from the account I know as administrator (2700) which appears to long predate my purchase of the computer (password age 480 days). Is there some benign explanation for this mysterious user (who still shows up as an option for sharing my files with) or have I uncovered evidence of some kind of security breach of my computer? How and for what purpose would this extra user account have been created, and without my knowledge? I will be truly grateful for any insight you can share with me. Margaret Wolfe-Roberts
-- -p1g SnortCP, C|HFI, TNCP, TECP, NACP, A+ ,,__ o" )~ oink oink ' ' ' ' If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity czar Richard Clarke
Current thread:
- unknown user on home computer Margaret Wolfe-Roberts (Mar 01)
- RE: unknown user on home computer Murda Mcloud (Mar 03)
- Re: unknown user on home computer p1g (Mar 04)