RE: possible compromised host
From: Tim Harris (timhar_at_pacbell.net)
Date: 07/11/03
- Previous message: LiNERROR: "possible compromised host"
- In reply to: LiNERROR: "possible compromised host"
- Next in thread: Harlan Carvey: "RE: possible compromised host"
- Reply: Harlan Carvey: "RE: possible compromised host"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'LiNERROR'" <linerror@stx.rr.com>, <incidents@securityfocus.com> Date: Fri, 11 Jul 2003 14:06:38 -0700
Do they actually exist as separate accounts (unlikely) or has password
checking for this account somehow been bypassed (more likely)?
You might also want to try some other accounts to see if perhaps password
checking has been globally disabled.
-----Original Message-----
From: LiNERROR [mailto:linerror@stx.rr.com]
Sent: Thursday, July 10, 2003 11:57 PM
To: incidents@securityfocus.com
Subject: possible compromised host
open running an audit on one of my networks Retina discovered a system with
what appeared to be multiple administrator accounts.
snip ---
Accounts: User: Administrator Pass: rotartsinimdA - Account password
reverse of account
Accounts: User: Administrator Pass: Administrator - Account password same
as account
Accounts: User: Administrator Pass: - Account with no password
snip ---
However the system shows no evidence of these accounts in the user
manager... BUT they EXIST!
i can connect to the system using my specified Account and password... AND
the three above.
I've never seen this before and was wondering if anyone knew anything than
might help me figureout how badly this system has been compromised...
----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training
sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's
to
"underground" security specialists. See for yourself what the buzz is
about!
Early-bird registration ends July 3. This event will sell out.
www.blackhat.com
----------------------------------------------------------------------------
----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
----------------------------------------------------------------------------
- Previous message: LiNERROR: "possible compromised host"
- In reply to: LiNERROR: "possible compromised host"
- Next in thread: Harlan Carvey: "RE: possible compromised host"
- Reply: Harlan Carvey: "RE: possible compromised host"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
