RE: Pubstro rash

["David LeBlanc" <dleblanc () exchange microsoft com>]

That would be a good guess. XP was the first version where blank
passwords can only be used at the console.

BOFH mode = ON
I think that if the network admin can guess the password on a system
that it deserves to get a new, very random 15-character (Win2k and up,
14 on NT 4.0) password, and if that inconveniences the user then they
need to learn to use decent passwords, and you should set up a system
whereby you can give them the new password out of band and the system
should be suitably inconvenient such that they won't want to use it
again.

-----Original Message-----
From: Nick FitzGerald [mailto:nick () virus-l demon co uk] 
Sent: Thursday, March 17, 2005 2:34 PM
To: incidents () securityfocus com
Subject: RE: Pubstro rash

David Gillett wrote:

>   Further detail:  I'm being told that all of the compromised 
> workstations are running 2KPro or NTW.  So that suggests that the 
> attackers are getting in through a hole that is fixed in XP or its 
> service packs.

Or poor password policies...

Most pubstros I've seen succeed do so with just password guessing (and
relatively trivial guessing at that) -- not that they don't have other
methods, just that pwd guessing gets them plenty of victims.  Are these
machines visible to the world for any kind of standard NT authentication
connections?  If so, start with the simplest (and probably most likely),
which is user slackness (blank, "admin", "guest", "pass", "aaaaa",
"qwerty", "12345", etc passwords).

Vulns common to NT and 2K but not XP would be fairly rare (other than in
non-XPSP2 IE 6??), unless you have very limited patch control over
non-XP machines but good control of XP patching.


Regards,

Nick FitzGerald