nanog mailing list archives
RE: Interesting Occurrence
From: Randy Bush <randy () psg com>
Date: Mon, 21 Jun 2004 14:06:24 -0400
you sent html as opposed to an email message. as i do not use a web browser to read mail, i can not read your message. if you want me to read your email, send email. randy
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"> <TITLE>Message</TITLE> <META content="MSHTML 6.00.2800.1400" name=GENERATOR></HEAD> <BODY> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=613275217-21062004>That almost looks like one of the dummy user accounts that gets added as part of IIS. I see a couple of these on one win2k server that I maintain:</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=613275217-21062004></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=613275217-21062004>"IWAM_<hostname>" (Launch IIS Process Account)</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=613275217-21062004></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=613275217-21062004>"IUSER_<hostname>" (Internet Guest Account)</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=613275217-21062004></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=613275217-21062004>Luke</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=613275217-21062004></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=613275217-21062004></SPAN></FONT> </DIV> <DIV></DIV> <DIV><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> owner-nanog () merit edu [mailto:owner-nanog () merit edu] <B>On Behalf Of </B>Brent_OKeeffe () asc aon com<BR><B>Sent:</B> Monday, June 21, 2004 1:45 PM<BR><B>To:</B> nanog () merit edu<BR><B>Subject:</B> Interesting Occurrence<BR><BR></DIV></FONT> <BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px"><BR><FONT face=sans-serif size=2>Okay... Here is a new one for me. Got a call from my dad saying he left his PC on last night connected to his broadband. He went to log in this morning and noticed a new ID in his user list - IWAP_WWW. He immediately deleted is and called me. I had him ensure his critical updates we all applied - they were. I had him ensure his antivirus was up to date - it was (Norton Antivirus 2004). He is running XP Home.</FONT> <BR><BR><FONT face=sans-serif size=2>I searched the antivirus sites and elsewhere for references. Any idea if there is a new vulnerability that has not been publicly released? Any clues?</FONT> <BR><BR><FONT face=sans-serif size=2>Regards,</FONT> <BR><FONT face=sans-serif size=2>Brent</FONT> <BR></BLOCKQUOTE></BODY></HTML>
Current thread:
- Interesting Occurrence Brent_OKeeffe (Jun 21)
- Re: Interesting Occurrence Jeff Shultz (Jun 21)
- RE: Interesting Occurrence Luke Starrett (Jun 21)
- RE: Interesting Occurrence Randy Bush (Jun 21)
- Re: Interesting Occurrence Richard A Steenbergen (Jun 21)
- Re: Interesting Occurrence Christian Malo (Jun 21)
- Re: Interesting Occurrence John Kinsella (Jun 21)
- Message not available
- Re: Interesting Occurrence Mike Tancsa (Jun 21)
- <Possible follow-ups>
- Re: Interesting Occurrence Brent_OKeeffe (Jun 21)
- Re: Interesting Occurrence Brent_OKeeffe (Jun 21)