Re: Mysterious "Support" account created on Win2k server

[Floydman <floydman () iquebec com>]

I made a tool that could probably help you to at least determine the 
actions taken by the intruder, if not the means of intrusion itself.  It is 
a command prompt logger that I had the idea after reading Lance Spitzner's 
papers.  It is called Comlog, it is made in perl and a compiled version is 
available at my site securit.iquebec.com.  In order to make it run under 
Win2K, you have to disable the Windows File Protection System (a "feature" 
that did not exist in NT), because Comlog has to replace cmd.exe in order 
to capture what is fed into it.  Since actions to disabling Windows FPS are 
different depending on your service pack level, I'll forward you to this 
Google search for more information about it: 
http://www.google.ca/search?q=disabling+windows+file+protection+system&ie=UTF-8&oe=UTF-8&hl=en&meta=

This tool works by replacing the real cmd.exe and capturing all the 
commands sent to it, then passing it to a remaned command prompt for 
execution, and captures the output before displaying it on the screen (or 
STDOUT).  If your intruder passes his commands by the command prompt, you 
can determine his course of actions.  Since your machine is already 
compromised, you'd have to make sure that any other copies of cmd.exe (ie 
root.exe) are also replaced by Comlog to be effective.  That is, this is if 
you're at all concerned abut this kind of info at this point with this 
incident.  Still, it could help you when you set up a new machine, just in 
case this happens again.

Hope this helps.

Floydman

At 04:03 PM 02/01/2003, Scott Fendley wrote:
> I have seen a number of these.  In every case I have found on our campus,
> there was a user account with power user or administrative access that had
> an extremely weak password.  The intruder would "net use" through that
> account to create another admin account (support in this case) for him to
> use.  They would update the security policy so that other intruders are
> unlikely to compromise the system.  And then they would start up Terminal
> services or similar remote desktop utilities, and set up either a warez
> server or irc serv-u daemon with an innocuous looking name like winasp,
> lsasss.exe, wimlogon.exe or something else that looks close to actual
> legit processes.
>
> I would check to verify that all the accounts have appropriately
> significant passwords on them.  Also, I would check the event log to see
> if there is a gapping hole in time where logged entries do not exist any
> more.
>
> This is the first i have seen exactly like this, but it is similar enough
> to ones i have been fighting on campus for the past few months to call it
> coincidence.
>
>
> Scott Fendley
>
>
>  On Thu, 2 Jan 2003, Ostfeld, Thomas wrote:
>
> > One of my web servers appears to have had an intrusion.  The box is Win2k
> > Advanced Server, SP3, up to date on all security patches.  I first became
> > aware of a problem when the main website hosted on the box became
> > inaccessible.  Checking the machine, I discovered that the Local Security
> > Policy had been altered as to remove the Everyone and Local Administrators
> > group from "Access this machine from the network" policy  In place was a
> > single local account called "Support" that I did not recognize.
> >
> > Looking into the accounts database, I discovered this account with a
> > description of "Built in account for providing user support."  It was also
> > part of the administrators group.  Needless to say, this looked suspicious,
> > so I locked the server back down and set up intrusion detection to look for
> > further attempts to exploit the account.
> >
> > I know approximately when the attack occurred, but I am still puzzled as to
> > how it was done.  The web logs show the usual IIS root exploit 
> attempts, but
> > those all fail.  Everything else looks normal.  I've scoured the machine
> > pretty thoroughly for bots, trojans, viruses, hidden and altered files, and
> > have so far come up empty.  No weird open ports either.
> >
> > Has anyone seen this before?  There is one or two postings of the same
> > nature on Google, but little else to give me something to go on.
> >
> > Tom Ostfeld
> > Knowledge Impact
> > Ostfeld7 (AIM)
> >
> >
> > 
> ----------------------------------------------------------------------------
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management
> > and tracking system please see: http://aris.securityfocus.com
> >
> >
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
> _____________________________________________________________________
> Envie de discuter en "live" avec vos amis ? Télécharger MSN Messenger
> http://www.ifrance.com/_reloc/m la 1ère messagerie instantanée de France


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com