RE: possible compromised host

From: Tim Harris (timhar_at_pacbell.net)
Date: 07/11/03

  • Next message: Harlan Carvey: "Re: possible compromised host"
    To: "'LiNERROR'" <linerror@stx.rr.com>, <incidents@securityfocus.com>
    Date: Fri, 11 Jul 2003 14:06:38 -0700
    
    

    Do they actually exist as separate accounts (unlikely) or has password
    checking for this account somehow been bypassed (more likely)?

    You might also want to try some other accounts to see if perhaps password
    checking has been globally disabled.

    -----Original Message-----
    From: LiNERROR [mailto:linerror@stx.rr.com]
    Sent: Thursday, July 10, 2003 11:57 PM
    To: incidents@securityfocus.com
    Subject: possible compromised host

    open running an audit on one of my networks Retina discovered a system with
    what appeared to be multiple administrator accounts.
    snip ---
    Accounts: User: Administrator Pass: rotartsinimdA - Account password
    reverse of account
    Accounts: User: Administrator Pass: Administrator - Account password same
    as account
    Accounts: User: Administrator Pass: - Account with no password
    snip ---
    However the system shows no evidence of these accounts in the user
    manager... BUT they EXIST!
    i can connect to the system using my specified Account and password... AND
    the three above.

    I've never seen this before and was wondering if anyone knew anything than
    might help me figureout how badly this system has been compromised...

    ----------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training
    sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's
    to
    "underground" security specialists. See for yourself what the buzz is
    about!
    Early-bird registration ends July 3. This event will sell out.
    www.blackhat.com
    ----------------------------------------------------------------------------

    ----------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out. www.blackhat.com
    ----------------------------------------------------------------------------


  • Next message: Harlan Carvey: "Re: possible compromised host"

    Relevant Pages

    • Re: ADMINISTRATOR vs Administrator User
      ... when run on an administrator account. ... As to getting past the limitations imposed by WindowsXP ... There are very few - very very few - modern applications that require ... user accounts. ...
      (microsoft.public.windowsxp.general)
    • Re: Administrator restricted - Control Panel Missing
      ... If you did not specifically set up Group Policy to restrict access to ... The command net users will display user accounts and net user username will ... type of administrator. ... the control panel was missing. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: password expiration policy for admin and system accounts ?
      ... > scheduled tasks that use various administrative accounts. ... > administrative account which starts several key exchange services. ... > Thus every time the exchange server was rebooted several exchange services ... >> JJ wrote:>>> Our auditors are objecting to our having Domain Administrator and domain>>> system accounts with passwords that never expire. ...
      (microsoft.public.win2000.security)
    • Re: installing games so other users can access and save their game
      ... YES BUT I BOOTED IN TO SAFE MODE AND SIGNED ON AS ADMINISTRATOR AND RESET ... ALL ACCOUNTS TO FULL RIGHTS ADMINISTRATOR AND THEN INSTALL WORKED FINE (IT ... ALL THE ACCOUNTS GET THE ERROR AGAIN THIS ERROR DOESN'T HAPPEN WITH ALL ... ALL ACCOUNTS ARE SUPPOSED TO HAVE PERMISSIONS OVER EVERYTHING ...
      (microsoft.public.games)
    • Re: password expiration policy for admin and system accounts ?
      ... > scheduled tasks that use various administrative accounts. ... > administrative account which starts several key exchange services. ... > Thus every time the exchange server was rebooted several exchange services ... >> JJ wrote:>>> Our auditors are objecting to our having Domain Administrator and domain>>> system accounts with passwords that never expire. ...
      (microsoft.public.security)