Security Incidents mailing list archives

RE: Mysterious "Support" account created on Win2k server

From: "Michael LaSalvia" <mike () jason org>
Date: Sat, 4 Jan 2003 10:35:06 -0500

A better way to remove those shares is in the registry. The batch file you
refer to, many of these so called hackers refer to as secure.bat. The
problem with this is that the batch needs to be put in some start up option
( reg run, startup, autoexec, or windows login script. Cause as soon as you
reboot the shares are back. If you go to google and do a search for default
admin shares you will get the exact reg you need for the o/s you are
running.

Michael LaSalvia
Information Technology Coordinator
Jason Foundation for Education
(781)444-8858 ext 231


-----Original Message-----
From: Michiel Overtoom [mailto:motoom () xs4all nl]
Sent: Friday, January 03, 2003 1:55 PM
To: incidents () securityfocus com
Subject: RE: Mysterious "Support" account created on Win2k server


Kyle wrote...

port 445 worm/virus/Trojans are the ones spread via SMB over TCP, port 445,
using "net use \\[machine]\ipc$.  The Trojans include password dictionaries
for guessing admin ids and passwords.



On my servers I remove these kind of builtin account using a batchfile which
get executed from the startup folder:

  @echo off
  echo Unsharing default shares...
  net share ipc$ /delete
  net share admin$ /delete
  net share c$ /delete
  net share d$ /delete
  net share e$ /delete
  net share f$ /delete
  net share g$ /delete
  net share h$ /delete



--
Michiel Overtoom  - motoom () xs4all nl  //  Computers are Creative Wonder
Machines



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Mysterious "Support" account created on Win2k server Ostfeld, Thomas (Jan 02)
- Re: Mysterious "Support" account created on Win2k server Scott Fendley (Jan 02)
  - Re: Mysterious "Support" account created on Win2k server Floydman (Jan 03)
- RE: Mysterious "Support" account created on Win2k server Ed Street (Jan 02)
- <Possible follow-ups>
- RE: Mysterious "Support" account created on Win2k server Matthew Cole (Jan 03)
  - RE: Mysterious "Support" account created on Win2k server kyle (Jan 03)
    - RE: Mysterious "Support" account created on Win2k server H C (Jan 03)
    - RE: Mysterious "Support" account created on Win2k server kyle (Jan 03)
- RE: Mysterious "Support" account created on Win2k server Michiel Overtoom (Jan 03)
  - RE: Mysterious "Support" account created on Win2k server Michael LaSalvia (Jan 06)
- RE: Mysterious "Support" account created on Win2k server kyle (Jan 03)