RE: Mysterious "Support" account created on Win2k server

From: kyle@kylelai.com
Date: 01/03/03

  • Next message: kyle@kylelai.com: "RE: Mysterious "Support" account created on Win2k server" 
    From: <kyle@kylelai.com>
To: <incidents@securityfocus.com>
Date: Fri, 3 Jan 2003 16:45:46 -0500

    No, attackers cannot use "net use." to create user accounts, but
    YES, they can create user accounts after they use "net use" to connect to
    victimized systems.

    Just to demonstrate, here is one of the methods of attack:

    1. "net use \\machine\ipc$" with admin id and weak password. assume it
    successfully connected to the system.
    2. use "psexec" from sysinternals.com to copy necessary files to the
    victimized systems
    3. use "psexec" to execute commands on the victimized system, i.e.
    Addusers. They can run any commands, programs, or viruses/worm/trojans now
    since they can copy all necessary files to the victimized system and run
    them as an administrator.

    That above method was the method used in the ocxdll.exe / taskmngr.exe
    worm/Trojan.

    Kyle Lai, CISSP, CISA
    KLC Consulting, Inc.
    617-921-5410
    klai@klcconsulting.net
    www.klcconsulting.net 

    ---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.435 / Virus Database: 244 - Release Date: 12/30/2002
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com