RE: Mysterious "Support" account created on Win2k server

From: H C (keydet89@yahoo.com)
Date: 01/03/03

  • Next message: Don Phillipe: "Thanks everyone! RE: MS IIS 5 server is hacked leaving undeletable folders and files" 
    Date: Fri, 3 Jan 2003 11:10:34 -0800 (PST)
From: H C <keydet89@yahoo.com>
To: kyle@kylelai.com, Matthew Cole <mcole@sigpc.com>, Scott Fendley <scottf@uark.edu>

    --- kyle@kylelai.com wrote:
    > port 445 worm/virus/Trojans are the ones spread via
    > SMB over TCP, port 445,
    > using "net use \\[machine]\ipc$. The Trojans
    > include password dictionaries
    > for guessing admin ids and passwords.

    However, that doesn't address the creation of the
    account...it only addresses the fact that Scott had a
    typo in his post.

    [snip]

    > -----Original Message-----
    > From: Scott Fendley [mailto:scottf@uark.edu]
    > Sent: Thursday, January 02, 2003 3:03 PM
    > To: Ostfeld, Thomas
    > Cc: 'incidents@securityfocus.com'
    > Subject: Re: Mysterious "Support" account created on
    > Win2k server
    >
    > I have seen a number of these. In every case I have
    > found on our
    > campus,
    > there was a user account with power user or
    > administrative access that
    > had
    > an extremely weak password. The intruder would "net
    > use" through that
    > account to create another admin account (support in
    > this case) for him to use.

    Uhm...no, he wouldn't. He'd have to use "net
    user"..."net use" does NOT allow for the creation of
    accounts. Could be a typo, I know, but the difference
    of one letter is significant.

    > ...daemon with an innocuous
    > looking name like winasp,
    > lsasss.exe, wimlogon.exe or something else that
    > looks close to actual legit processes.

    While "wimlogon" may look close to legit, I would hope
    that admins are smart enough that seeing that will
    raise the hackles on the backs of their necks. In
    fact, the process can be running w/ a legit name, like
    "svchost.exe", but using tools like listdlls.exe will
    show that the executable image is located in a
    directory other than system32.
     
    > I would check to verify that all the accounts have
    > appropriately significant passwords on them.

    Would you suggest using L0phtcrack?

    > Also, I would check the event log to see
    > if there is a gapping hole in time where logged
    > entries do not exist any more.

    Wouldn't this really depend on what exactly is being
    logged? If auditing isn't enabled and there are no
    significant apps that log to the EventLog (a/v, for
    example) then there can be days or weeks between
    entries.
     
    > This is the first i have seen exactly like this, but
    > it is similar enough
    > to ones i have been fighting on campus for the past
    > few months to call it coincidence.

    I wouldn't call it a coincidence, Scott, I'd call it
    the nature of the beast when it comes to a campus.

    To Thomas,

    > > I know approximately when the attack occurred, but
    > I am still puzzled
    > as to
    > > how it was done. The web logs show the usual IIS
    > root exploit
    > attempts, but
    > > those all fail. Everything else looks normal.
    > I've scoured the
    > machine
    > > pretty thoroughly for bots, trojans, viruses,
    > hidden and altered
    > files, and
    > > have so far come up empty. No weird open ports
    > either.

    I wish we knew more about what you did to scour the
    machine, and what tools you used. By understanding
    your methodology and tools, perhaps an error would be
    uncovered, or a better way recommended. Too many
    times, I've seen admins modify data *before* accessing
    it, simply b/c they didn't know.

    When you say "no weird open ports", what do you mean?
    Did you run fport? If so, what did it find? Netcat
    renamed to "inetinfo.exe" and bound to port 80 isn't
    "weird" at all...but is a remote shell nonetheless.

    __________________________________________________
    Do you Yahoo!?
    Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
    http://mailplus.yahoo.com

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com

    Relevant Pages

    • Re: Am I hacked? IIS dying, telnet localhost 443 gives: Hallo, Willkommen auf Compactzone Stro!
      ... miscreant has remote access to the box with admin rights. ... I have a server running IIS and I ... When I try to telnet the server using port 443 I get the same ...
      (microsoft.public.inetserver.iis.security)
    • Re: connect XP pro to domain
      ... My computer is already called misheck1 and has computer account on the ... entered one that is in The domain controller, domain admin, admin and user ... Are you sure you want the server and the XP machine on different networks? ... 1st connect everything to the LAN ports, ...
      (microsoft.public.cert.exam.mcse)
    • Re: OT: Geekness - avoiding proxies
      ... As an ex-network admin I would spot your ... trying to talk to the outside world on an odd port. ... they are administered and how a good network/security admin does their ... depends what is allowed through the firewall. ...
      (uk.rec.motorcycles)
    • Re: Using a home T-1 line to evade company filtering
      ... The admin would see traffic on an unusual port number. ... It's even more priceless when they fashion themselves to be clever ... Liberals have invented whole college majors - psychology, ...
      (comp.security.firewalls)
    • Re: reader
      ... my admin is as stubern as mud ... and pastions (yeah i know i cant ... >be willing to make a firewall rule that would open port ...
      (microsoft.public.cert.exam.mcse)