RE: Mysterious "Support" account created on Win2k server

From: Ed Street (blacknet@simplyaquatics.com)
Date: 01/02/03

  • Next message: Stephen P. Berry: "Re: RPAT - Realtime Proxy Abuse Triangulation" 
    From: "Ed Street" <blacknet@simplyaquatics.com>
To: "'Ostfeld, Thomas'" <tostfeld@kimpact.com>, <incidents@securityfocus.com>
Date: Thu, 2 Jan 2003 16:07:00 -0500

    Hello,

    Well some more information would be needed. I.e. dell pc's ship with
    the support account active.

    Ed

    => -----Original Message-----
    => From: Ostfeld, Thomas [mailto:tostfeld@kimpact.com]
    => Sent: Thursday, January 02, 2003 3:34 PM
    => To: 'incidents@securityfocus.com'
    => Subject: Mysterious "Support" account created on Win2k server
    =>
    =>
    => One of my web servers appears to have had an intrusion. The
    => box is Win2k
    => Advanced Server, SP3, up to date on all security patches. I
    => first became
    => aware of a problem when the main website hosted on the box became
    => inaccessible. Checking the machine, I discovered that the
    => Local Security
    => Policy had been altered as to remove the Everyone and Local
    => Administrators
    => group from "Access this machine from the network" policy In
    => place was a
    => single local account called "Support" that I did not recognize.
    =>
    => Looking into the accounts database, I discovered this account with a
    => description of "Built in account for providing user
    => support." It was also
    => part of the administrators group. Needless to say, this
    => looked suspicious,
    => so I locked the server back down and set up intrusion
    => detection to look for
    => further attempts to exploit the account.
    =>
    => I know approximately when the attack occurred, but I am
    => still puzzled as to
    => how it was done. The web logs show the usual IIS root
    => exploit attempts, but
    => those all fail. Everything else looks normal. I've scoured
    => the machine
    => pretty thoroughly for bots, trojans, viruses, hidden and
    => altered files, and
    => have so far come up empty. No weird open ports either.
    =>
    => Has anyone seen this before? There is one or two postings
    => of the same
    => nature on Google, but little else to give me something to go on.
    =>
    => Tom Ostfeld
    => Knowledge Impact
    => Ostfeld7 (AIM)
    =>
    =>
    => -------------------------------------------------------------
    => ---------------
    => This list is provided by the SecurityFocus ARIS analyzer service.
    => For more information on this free incident handling, management
    => and tracking system please see: http://aris.securityfocus.com
    =>
    =>
    => ---
    => Incoming mail is certified Virus Free.
    => Checked by AVG anti-virus system (http://www.grisoft.com).
    => Version: 6.0.435 / Virus Database: 244 - Release Date: 12/30/2002
    =>
    => 

    ---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.435 / Virus Database: 244 - Release Date: 12/30/2002
 
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com