Security Incidents mailing list archives
RE: Mysterious "Support" account created on Win2k server
From: <kyle () kylelai com>
Date: Fri, 3 Jan 2003 12:19:12 -0500
port 445 worm/virus/Trojans are the ones spread via SMB over TCP, port 445, using "net use \\[machine]\ipc$. The Trojans include password dictionaries for guessing admin ids and passwords. I analyzed one of the port 445 worm/Trojans, ocxdll.exe back in the late August, 2002, which was using mIRC cliet (taskmngr.exe) as the engine and running mIRC scripts to scan random IP's and spread when they found victims with port 445 open. My analysis is at http://www.klcconsulting.net/mIRC_Virus_Analysis.htm Kyle Lai, CISSP, CISA KLC Consulting, Inc. 617-921-5410 klai () klcconsulting net www.klcconsulting.net -----Original Message----- From: Matthew Cole [mailto:mcole () sigpc com] Sent: Friday, January 03, 2003 7:27 AM To: Scott Fendley Cc: incidents () securityfocus com Subject: RE: Mysterious "Support" account created on Win2k server We have seen several of these that were compromised due to MSDE or SQL with no SA password or 'sa' as the SA password. The boxes we have seen are also not running all the SQL patches. (Note that MSDE uses no sa password by default in most installations) -----Original Message----- From: Scott Fendley [mailto:scottf () uark edu] Sent: Thursday, January 02, 2003 3:03 PM To: Ostfeld, Thomas Cc: 'incidents () securityfocus com' Subject: Re: Mysterious "Support" account created on Win2k server I have seen a number of these. In every case I have found on our campus, there was a user account with power user or administrative access that had an extremely weak password. The intruder would "net use" through that account to create another admin account (support in this case) for him to use. They would update the security policy so that other intruders are unlikely to compromise the system. And then they would start up Terminal services or similar remote desktop utilities, and set up either a warez server or irc serv-u daemon with an innocuous looking name like winasp, lsasss.exe, wimlogon.exe or something else that looks close to actual legit processes. I would check to verify that all the accounts have appropriately significant passwords on them. Also, I would check the event log to see if there is a gapping hole in time where logged entries do not exist any more. This is the first i have seen exactly like this, but it is similar enough to ones i have been fighting on campus for the past few months to call it coincidence. Scott Fendley On Thu, 2 Jan 2003, Ostfeld, Thomas wrote:
One of my web servers appears to have had an intrusion. The box is
Win2k
Advanced Server, SP3, up to date on all security patches. I first
became
aware of a problem when the main website hosted on the box became inaccessible. Checking the machine, I discovered that the Local
Security
Policy had been altered as to remove the Everyone and Local
Administrators
group from "Access this machine from the network" policy In place was
a
single local account called "Support" that I did not recognize. Looking into the accounts database, I discovered this account with a description of "Built in account for providing user support." It was
also
part of the administrators group. Needless to say, this looked
suspicious,
so I locked the server back down and set up intrusion detection to
look for
further attempts to exploit the account. I know approximately when the attack occurred, but I am still puzzled
as to
how it was done. The web logs show the usual IIS root exploit
attempts, but
those all fail. Everything else looks normal. I've scoured the
machine
pretty thoroughly for bots, trojans, viruses, hidden and altered
files, and
have so far come up empty. No weird open ports either. Has anyone seen this before? There is one or two postings of the same nature on Google, but little else to give me something to go on. Tom Ostfeld Knowledge Impact Ostfeld7 (AIM)
------------------------------------------------------------------------ ----
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.435 / Virus Database: 244 - Release Date: 12/30/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.435 / Virus Database: 244 - Release Date: 12/30/2002 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Mysterious "Support" account created on Win2k server Ostfeld, Thomas (Jan 02)
- Re: Mysterious "Support" account created on Win2k server Scott Fendley (Jan 02)
- Re: Mysterious "Support" account created on Win2k server Floydman (Jan 03)
- RE: Mysterious "Support" account created on Win2k server Ed Street (Jan 02)
- <Possible follow-ups>
- RE: Mysterious "Support" account created on Win2k server Matthew Cole (Jan 03)
- RE: Mysterious "Support" account created on Win2k server kyle (Jan 03)
- RE: Mysterious "Support" account created on Win2k server H C (Jan 03)
- RE: Mysterious "Support" account created on Win2k server kyle (Jan 03)
- RE: Mysterious "Support" account created on Win2k server kyle (Jan 03)
- Re: Mysterious "Support" account created on Win2k server Scott Fendley (Jan 02)
- RE: Mysterious "Support" account created on Win2k server Michiel Overtoom (Jan 03)
- RE: Mysterious "Support" account created on Win2k server Michael LaSalvia (Jan 06)
- RE: Mysterious "Support" account created on Win2k server kyle (Jan 03)