Security Incidents mailing list archives

RE: Mysterious "Support" account created on Win2k server

From: Michiel Overtoom <motoom () xs4all nl>
Date: Fri, 03 Jan 2003 19:55:28 +0100

Kyle wrote...

port 445 worm/virus/Trojans are the ones spread via SMB over TCP, port 445,
using "net use \\[machine]\ipc$.  The Trojans include password dictionaries
for guessing admin ids and passwords.



On my servers I remove these kind of builtin account using a batchfile which
get executed from the startup folder:

  @echo off
  echo Unsharing default shares...
  net share ipc$ /delete
  net share admin$ /delete
  net share c$ /delete
  net share d$ /delete
  net share e$ /delete
  net share f$ /delete
  net share g$ /delete
  net share h$ /delete



-- 
Michiel Overtoom  - motoom () xs4all nl  //  Computers are Creative Wonder Machines



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Mysterious "Support" account created on Win2k server Ostfeld, Thomas (Jan 02)
- Re: Mysterious "Support" account created on Win2k server Scott Fendley (Jan 02)
  - Re: Mysterious "Support" account created on Win2k server Floydman (Jan 03)
- RE: Mysterious "Support" account created on Win2k server Ed Street (Jan 02)
- <Possible follow-ups>
- RE: Mysterious "Support" account created on Win2k server Matthew Cole (Jan 03)
  - RE: Mysterious "Support" account created on Win2k server kyle (Jan 03)
    - RE: Mysterious "Support" account created on Win2k server H C (Jan 03)
    - RE: Mysterious "Support" account created on Win2k server kyle (Jan 03)
- RE: Mysterious "Support" account created on Win2k server Michiel Overtoom (Jan 03)
  - RE: Mysterious "Support" account created on Win2k server Michael LaSalvia (Jan 06)
- RE: Mysterious "Support" account created on Win2k server kyle (Jan 03)