RE: Mysterious "Support" account created on Win2k server

From: Michiel Overtoom (motoom@xs4all.nl)
Date: 01/03/03

  • Next message: H C: "RE: Mysterious "Support" account created on Win2k server" 
    Date: Fri, 03 Jan 2003 19:55:28 +0100
To: <incidents@securityfocus.com>
From: Michiel Overtoom <motoom@xs4all.nl>

    Kyle wrote...

    >port 445 worm/virus/Trojans are the ones spread via SMB over TCP, port 445,
    >using "net use \\[machine]\ipc$. The Trojans include password dictionaries
    >for guessing admin ids and passwords.

    On my servers I remove these kind of builtin account using a batchfile which
    get executed from the startup folder:

      @echo off
      echo Unsharing default shares...
      net share ipc$ /delete
      net share admin$ /delete
      net share c$ /delete
      net share d$ /delete
      net share e$ /delete
      net share f$ /delete
      net share g$ /delete
      net share h$ /delete 

    -- 
Michiel Overtoom  - motoom@xs4all.nl  //  Computers are Creative Wonder Machines
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com