Security Incidents mailing list archives
RE: Mysterious "Support" account created on Win2k server
From: "Michael LaSalvia" <mike () jason org>
Date: Sat, 4 Jan 2003 10:35:06 -0500
A better way to remove those shares is in the registry. The batch file you refer to, many of these so called hackers refer to as secure.bat. The problem with this is that the batch needs to be put in some start up option ( reg run, startup, autoexec, or windows login script. Cause as soon as you reboot the shares are back. If you go to google and do a search for default admin shares you will get the exact reg you need for the o/s you are running. Michael LaSalvia Information Technology Coordinator Jason Foundation for Education (781)444-8858 ext 231 -----Original Message----- From: Michiel Overtoom [mailto:motoom () xs4all nl] Sent: Friday, January 03, 2003 1:55 PM To: incidents () securityfocus com Subject: RE: Mysterious "Support" account created on Win2k server Kyle wrote...
port 445 worm/virus/Trojans are the ones spread via SMB over TCP, port 445, using "net use \\[machine]\ipc$. The Trojans include password dictionaries for guessing admin ids and passwords.
On my servers I remove these kind of builtin account using a batchfile which get executed from the startup folder: @echo off echo Unsharing default shares... net share ipc$ /delete net share admin$ /delete net share c$ /delete net share d$ /delete net share e$ /delete net share f$ /delete net share g$ /delete net share h$ /delete -- Michiel Overtoom - motoom () xs4all nl // Computers are Creative Wonder Machines ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Mysterious "Support" account created on Win2k server Ostfeld, Thomas (Jan 02)
- Re: Mysterious "Support" account created on Win2k server Scott Fendley (Jan 02)
- Re: Mysterious "Support" account created on Win2k server Floydman (Jan 03)
- RE: Mysterious "Support" account created on Win2k server Ed Street (Jan 02)
- <Possible follow-ups>
- RE: Mysterious "Support" account created on Win2k server Matthew Cole (Jan 03)
- RE: Mysterious "Support" account created on Win2k server kyle (Jan 03)
- RE: Mysterious "Support" account created on Win2k server H C (Jan 03)
- RE: Mysterious "Support" account created on Win2k server kyle (Jan 03)
- RE: Mysterious "Support" account created on Win2k server kyle (Jan 03)
- Re: Mysterious "Support" account created on Win2k server Scott Fendley (Jan 02)
- RE: Mysterious "Support" account created on Win2k server Michiel Overtoom (Jan 03)
- RE: Mysterious "Support" account created on Win2k server Michael LaSalvia (Jan 06)
- RE: Mysterious "Support" account created on Win2k server kyle (Jan 03)