RE: Mysterious "Support" account created on Win2k server

From: Matthew Cole (mcole@sigpc.com)
Date: 01/03/03

  • Next message: Brian Taylor: "RE: PDL anti-spam blacklist" 
    Date: Fri, 3 Jan 2003 06:26:43 -0600
From: "Matthew Cole" <mcole@sigpc.com>
To: "Scott Fendley" <scottf@uark.edu>

    We have seen several of these that were compromised due to MSDE or SQL
    with no SA password or 'sa' as the SA password. The boxes we have seen
    are also not running all the SQL patches. (Note that MSDE uses no sa
    password by default in most installations)

    -----Original Message-----
    From: Scott Fendley [mailto:scottf@uark.edu]
    Sent: Thursday, January 02, 2003 3:03 PM
    To: Ostfeld, Thomas
    Cc: 'incidents@securityfocus.com'
    Subject: Re: Mysterious "Support" account created on Win2k server

    I have seen a number of these. In every case I have found on our
    campus,
    there was a user account with power user or administrative access that
    had
    an extremely weak password. The intruder would "net use" through that
    account to create another admin account (support in this case) for him
    to
    use. They would update the security policy so that other intruders are
    unlikely to compromise the system. And then they would start up
    Terminal
    services or similar remote desktop utilities, and set up either a warez
    server or irc serv-u daemon with an innocuous looking name like winasp,
    lsasss.exe, wimlogon.exe or something else that looks close to actual
    legit processes.

    I would check to verify that all the accounts have appropriately
    significant passwords on them. Also, I would check the event log to see
    if there is a gapping hole in time where logged entries do not exist any
    more.

    This is the first i have seen exactly like this, but it is similar
    enough
    to ones i have been fighting on campus for the past few months to call
    it
    coincidence.

    Scott Fendley

     On Thu, 2 Jan 2003, Ostfeld, Thomas wrote:

    > One of my web servers appears to have had an intrusion. The box is
    Win2k
    > Advanced Server, SP3, up to date on all security patches. I first
    became
    > aware of a problem when the main website hosted on the box became
    > inaccessible. Checking the machine, I discovered that the Local
    Security
    > Policy had been altered as to remove the Everyone and Local
    Administrators
    > group from "Access this machine from the network" policy In place was
    a
    > single local account called "Support" that I did not recognize.
    >
    > Looking into the accounts database, I discovered this account with a
    > description of "Built in account for providing user support." It was
    also
    > part of the administrators group. Needless to say, this looked
    suspicious,
    > so I locked the server back down and set up intrusion detection to
    look for
    > further attempts to exploit the account.
    >
    > I know approximately when the attack occurred, but I am still puzzled
    as to
    > how it was done. The web logs show the usual IIS root exploit
    attempts, but
    > those all fail. Everything else looks normal. I've scoured the
    machine
    > pretty thoroughly for bots, trojans, viruses, hidden and altered
    files, and
    > have so far come up empty. No weird open ports either.
    >
    > Has anyone seen this before? There is one or two postings of the same
    > nature on Google, but little else to give me something to go on.
    >
    > Tom Ostfeld
    > Knowledge Impact
    > Ostfeld7 (AIM)
    >
    >
    >
    ------------------------------------------------------------------------ 

    ----
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>
------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com