Re: IWAP_WWW account showing up on XP boxes, not just IIS?
From: Chad Myers (cmyers_at_AUSTIN.RR.COM)
Date: 06/29/04
- Previous message: Hubbard, Dan: "Scob infection statistics, etc.."
- In reply to: Jeffrey Thomas: "IWAP_WWW account showing up on XP boxes, not just IIS?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 29 Jun 2004 09:39:43 -0500 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Here are the accounts that *should* or *may* be on a Win2K, XP, or 2K3 box:
ASPNET: The ASP.NET user account (very low privileges) - only necessary on
Win2K and XP, but present on Win2K3
ASPNET_WEB_ADMIN: ASP.NET Web Admin account (also low privileges, but
slightly more than ASPNET) - only necessary on Win2K and XP, but present on
Win2K3
IUSR_SERVERNAME: IIS anonymous user account (somewhat low privileges)
IWAM_SERVERNAME: IIS anonymous application account (somewhat low privileges)
WADM_SERVERNAME: ASP.NET Web Admin account (disabled by default) - not sure
what this is useful for, exactly.
In Windows 2003, ASP.NET applications run under the "NETWORK SERVICE"
account which has very little, if any privileges. This is more secure than
running under the ASPNET account. If you have developers that want to
install an ASP.NET app and they want you to switch the machine.config
ASP.NET account from "machine" to "system", tell them "NO!" unless they have
a *VERY* good reason for it. This will allow ASP.NET applications to run as
"LocalSystem" (which is obviously bad).
Also, if they want you to switch the Windows 2003 Application Pool from
using "NETWORK SERVICE" to anything else, tell them "NO!" unless they have a
*VERY* good reason for it.
-------------
IWAP_WWW is definitely bogus (but clever!).
-Chad
-----Original Message-----
From: Windows NTBugtraq Mailing List
[mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of Jeffrey Thomas
Sent: Monday, June 28, 2004 10:08 AM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: IWAP_WWW account showing up on XP boxes, not just IIS?
Do a google on IWAP_WWW, seems there are XP users discovering this account
on their PCs suddenly in the last few days.
http://64.233.161.104/search?q=cache:1Dt5TJOVP6EJ:amazingtechs.com/index.php
%3Fshowtopic%3D14414+IWAP_WWW&hl=en
IWAM_WWW is a legit account (used by IIS in certain cfgs), but never heard
of IWAP_WWW so we may be looking at an attempt to hide a malicious account
using a slightly modified name of legit accounts. Could be legit, but more
checking definitely needed....I'm leaning towards non-legit account.
J. Thomas
-----
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured
such that just hitting reply is going to result in the message coming to the
list, not to the individual who sent the message. This was done to help
reduce the number of Out of Office messages posters received. So if you want
to send a reply just to the poster, you'll have to copy their email address
out of the message and place it in your TO: field.
-----
-----
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
-----
- Previous message: Hubbard, Dan: "Scob infection statistics, etc.."
- In reply to: Jeffrey Thomas: "IWAP_WWW account showing up on XP boxes, not just IIS?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
