Security Incidents mailing list archives
RE: Mysterious "Support" account created on Win2k server
From: <kyle () kylelai com>
Date: Fri, 3 Jan 2003 16:45:46 -0500
No, attackers cannot use "net use." to create user accounts, but YES, they can create user accounts after they use "net use" to connect to victimized systems. Just to demonstrate, here is one of the methods of attack: 1. "net use \\machine\ipc$" with admin id and weak password. assume it successfully connected to the system. 2. use "psexec" from sysinternals.com to copy necessary files to the victimized systems 3. use "psexec" to execute commands on the victimized system, i.e. Addusers. They can run any commands, programs, or viruses/worm/trojans now since they can copy all necessary files to the victimized system and run them as an administrator. That above method was the method used in the ocxdll.exe / taskmngr.exe worm/Trojan. Kyle Lai, CISSP, CISA KLC Consulting, Inc. 617-921-5410 klai () klcconsulting net www.klcconsulting.net --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.435 / Virus Database: 244 - Release Date: 12/30/2002 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Mysterious "Support" account created on Win2k server Ostfeld, Thomas (Jan 02)
- Re: Mysterious "Support" account created on Win2k server Scott Fendley (Jan 02)
- Re: Mysterious "Support" account created on Win2k server Floydman (Jan 03)
- RE: Mysterious "Support" account created on Win2k server Ed Street (Jan 02)
- <Possible follow-ups>
- RE: Mysterious "Support" account created on Win2k server Matthew Cole (Jan 03)
- RE: Mysterious "Support" account created on Win2k server kyle (Jan 03)
- RE: Mysterious "Support" account created on Win2k server H C (Jan 03)
- RE: Mysterious "Support" account created on Win2k server kyle (Jan 03)
- RE: Mysterious "Support" account created on Win2k server kyle (Jan 03)
- Re: Mysterious "Support" account created on Win2k server Scott Fendley (Jan 02)
- RE: Mysterious "Support" account created on Win2k server Michiel Overtoom (Jan 03)
- RE: Mysterious "Support" account created on Win2k server Michael LaSalvia (Jan 06)
- RE: Mysterious "Support" account created on Win2k server kyle (Jan 03)