RE: Mysterious "Support" account created on Win2k server

[H C <keydet89 () yahoo com>]

--- kyle () kylelai com wrote:
> port 445 worm/virus/Trojans are the ones spread via
> SMB over TCP, port 445,
> using "net use \\[machine]\ipc$.  The Trojans
> include password dictionaries
> for guessing admin ids and passwords.

However, that doesn't address the creation of the
account...it only addresses the fact that Scott had a
typo in his post.

[snip]

> -----Original Message-----
> From: Scott Fendley [mailto:scottf () uark edu]
> Sent: Thursday, January 02, 2003 3:03 PM
> To: Ostfeld, Thomas
> Cc: 'incidents () securityfocus com'
> Subject: Re: Mysterious "Support" account created on
> Win2k server
>
> I have seen a number of these.  In every case I have
> found on our
> campus,
> there was a user account with power user or
> administrative access that
> had
> an extremely weak password.  The intruder would "net
> use" through that
> account to create another admin account (support in
> this case) for him to use. 

Uhm...no, he wouldn't.  He'd have to use "net
user"..."net use" does NOT allow for the creation of
accounts.  Could be a typo, I know, but the difference
of one letter is significant.

> ...daemon with an innocuous
> looking name like winasp,
> lsasss.exe, wimlogon.exe or something else that
> looks close to actual legit processes.

While "wimlogon" may look close to legit, I would hope
that admins are smart enough that seeing that will
raise the hackles on the backs of their necks.  In
fact, the process can be running w/ a legit name, like
"svchost.exe", but using tools like listdlls.exe will
show that the executable image is located in a
directory other than system32.
 
> I would check to verify that all the accounts have
> appropriately significant passwords on them.  

Would you suggest using L0phtcrack?

> Also, I would check the event log to see
> if there is a gapping hole in time where logged
> entries do not exist any more.

Wouldn't this really depend on what exactly is being
logged?  If auditing isn't enabled and there are no
significant apps that log to the EventLog (a/v, for
example) then there can be days or weeks between
entries.
 
> This is the first i have seen exactly like this, but
> it is similar enough
> to ones i have been fighting on campus for the past
> few months to call it coincidence.

I wouldn't call it a coincidence, Scott, I'd call it
the nature of the beast when it comes to a campus.


To Thomas, 

> > I know approximately when the attack occurred, but
> I am still puzzled
> as to
> > how it was done.  The web logs show the usual IIS
> root exploit
> attempts, but
> > those all fail.  Everything else looks normal. 
> I've scoured the
> machine
> > pretty thoroughly for bots, trojans, viruses,
> hidden and altered
> files, and
> > have so far come up empty.  No weird open ports
> either.

I wish we knew more about what you did to scour the
machine, and what tools you used.  By understanding
your methodology and tools, perhaps an error would be
uncovered, or a better way recommended.  Too many
times, I've seen admins modify data *before* accessing
it, simply b/c they didn't know.

When you say "no weird open ports", what do you mean? 
Did you run fport?  If so, what did it find?  Netcat
renamed to "inetinfo.exe" and bound to port 80 isn't
"weird" at all...but is a remote shell nonetheless.





__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com