Terminal Services / TsInternetUser [RMC-RUFLVP4]

["Romulo M. Cholewa" <rmc () rmc eti br>]

Hail,

I have a Windows 2000 Server machine with a real IP address and 3389/tcp available. Since this morning, I've noticed 
lots of attempts (Security Eventlog) of someone trying to change the TsInternetUser password (no success, only 
failures).

I would like to know if there are any utilities that would enable someone to change this password (I think not), or any 
known attacks that might use any vulnerability in TS that would enable someone to gain access through this account.

The W2K server is fully patched.

Any ideas ? I temporarily configured TS to only accept connections from the internal network until I can find out the 
possibilities.

What is intriguing me is the fact that until now, I thought that anyone must be logged on to try to change a password. 
And only one user has TS granted (since this user is admin equiv, I don't think that it has been compromised: since it 
is admin equiv, if someone does know it's password, a natural course of action would be simply to create a new account).

Thanks in advance,


Romulo M. Cholewa
Home : http://www.rmc.eti.br
Forum: http://zeus.rmc.eti.br/forum
PGP Keys Available @ website.

    "Everything should be made as simple as possible, but not   
                  simpler." -- Albert Einstein                  
                                                                
                                                                

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com