RE: Mysterious "Support" account created on Win2k server

[<kyle () kylelai com>]

Once a worm/trojan or an attacker successfully connect to a system via port
445 and guessed the administrator ID and weak passwords, the system is fully
owned by the worm/trojan/attackers.

Once a system is compromised with an administrator account, the
attackers/worms/Trojans have full access to the system, including creating
an account.

An account can be easily created by using command line tools that comes with
Windows 2000 resource kit or third party tools.  Check out the article
http://www.win2000mag.net/Articles/Index.cfm?ArticleID=16426.

Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
617-921-5410
klai () klcconsulting net
www.klcconsulting.net

-----Original Message-----
From: H C [mailto:keydet89 () yahoo com]
Sent: Friday, January 03, 2003 2:11 PM
To: kyle () kylelai com; Matthew Cole; Scott Fendley
Cc: incidents () securityfocus com
Subject: RE: Mysterious "Support" account created on Win2k server



--- kyle () kylelai com wrote:
> port 445 worm/virus/Trojans are the ones spread via
> SMB over TCP, port 445,
> using "net use \\[machine]\ipc$.  The Trojans
> include password dictionaries
> for guessing admin ids and passwords.

However, that doesn't address the creation of the
account...it only addresses the fact that Scott had a
typo in his post.

[snip]

> -----Original Message-----
> From: Scott Fendley [mailto:scottf () uark edu]
> Sent: Thursday, January 02, 2003 3:03 PM
> To: Ostfeld, Thomas
> Cc: 'incidents () securityfocus com'
> Subject: Re: Mysterious "Support" account created on
> Win2k server
>
> I have seen a number of these.  In every case I have
> found on our
> campus,
> there was a user account with power user or
> administrative access that
> had
> an extremely weak password.  The intruder would "net
> use" through that
> account to create another admin account (support in
> this case) for him to use.

Uhm...no, he wouldn't.  He'd have to use "net
user"..."net use" does NOT allow for the creation of
accounts.  Could be a typo, I know, but the difference
of one letter is significant.

> ...daemon with an innocuous
> looking name like winasp,
> lsasss.exe, wimlogon.exe or something else that
> looks close to actual legit processes.

While "wimlogon" may look close to legit, I would hope
that admins are smart enough that seeing that will
raise the hackles on the backs of their necks.  In
fact, the process can be running w/ a legit name, like
"svchost.exe", but using tools like listdlls.exe will
show that the executable image is located in a
directory other than system32.

> I would check to verify that all the accounts have
> appropriately significant passwords on them.

Would you suggest using L0phtcrack?

> Also, I would check the event log to see
> if there is a gapping hole in time where logged
> entries do not exist any more.

Wouldn't this really depend on what exactly is being
logged?  If auditing isn't enabled and there are no
significant apps that log to the EventLog (a/v, for
example) then there can be days or weeks between
entries.

> This is the first i have seen exactly like this, but
> it is similar enough
> to ones i have been fighting on campus for the past
> few months to call it coincidence.

I wouldn't call it a coincidence, Scott, I'd call it
the nature of the beast when it comes to a campus.


To Thomas,

> > I know approximately when the attack occurred, but
> I am still puzzled
> as to
> > how it was done.  The web logs show the usual IIS
> root exploit
> attempts, but
> > those all fail.  Everything else looks normal.
> I've scoured the
> machine
> > pretty thoroughly for bots, trojans, viruses,
> hidden and altered
> files, and
> > have so far come up empty.  No weird open ports
> either.

I wish we knew more about what you did to scour the
machine, and what tools you used.  By understanding
your methodology and tools, perhaps an error would be
uncovered, or a better way recommended.  Too many
times, I've seen admins modify data *before* accessing
it, simply b/c they didn't know.

When you say "no weird open ports", what do you mean?
Did you run fport?  If so, what did it find?  Netcat
renamed to "inetinfo.exe" and bound to port 80 isn't
"weird" at all...but is a remote shell nonetheless.





__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.435 / Virus Database: 244 - Release Date: 12/30/2002

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.435 / Virus Database: 244 - Release Date: 12/30/2002


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com