Re: Unknown SID as Administrator

From: Colonel Flagg (colonel_flagg_at_NOSOUPFORJ00internetwarzone.org)
Date: 10/20/03 

Date: Sun, 19 Oct 2003 21:12:53 -0400

In article <6ua6pvsai6q8bgue35ie9mud3r5d7tllvm@4ax.com>,
rjenkins@satx.rr.com says...
> Background: My home PC, running XP Home Edition, was hacked about a
> month ago. I was only running the ICF and I think they got in on
> ports in the uppper 3100s and low 3200s. I found 3 users set up in my
> Network Neighborhood. I deleted them and took action such as
> installing Zone Alarm Pro. But they left a keystroke logger behind
> because my brand new credit card got compromised right after the first
> time I used it for a web purchase. When I discovered the fraud, I
> bought Pest Patrol, found the keystroke logger and deleted it.
>
> Current Problem: I downloaded and ran Microsoft's Baseline Security
> Analyzer. It told me that I had 3 administrator accounts. One was
> the internal administrator that is named "Administrator" - Microsoft
> has it so that its not visible if you go to user accounts. One of the
> other administrators is me - that makes sense. I'm listed as an
> administrator in user accounts. But there was a third administrator
> with no name except a huge number. This adminstrator is not listed as
> a user.
>
> So, I bought a book about XP, which I should have done a year ago, and
> figured out that this huge number is an SID. But whose SID?
> I downloaded getsid and whoamI from the windows 2000 resource kit.
> The SID that is being listed, ending in -1006, is not listed by getsid
> or whoami. I can see the built in SIDs, my SID, a couple for support.
> But this -1006 SID is not coming up.
>
> What do you think? How can I figure out who this administrator is?
> How can I determine if it's active? How do I delete it? Do you think
> it was one of the hackers I deleted out of my network neighborhood?
>
> Obviously, I've become very paranoid about my PC's security. But
> right now, with an unknown SID list as an administrator, I'm
> concerned.
>
> Thanks in advance!
>

First, there's no guarantee that the Windows 2000 Resource Kit programs
are 100% affective with XP.

Second, you should NEVER put a once-compromised machine back online,
that's idiocy. You should have and SHOULD do so now, backup your machine
or even better, replace the harddrive. Install a new drive, new
operating system and start from scratch, securing the machine before you
put it online... patching, etc. (you can download all patches via
another machine, burn to cd, patch your machine). Install a proper
firewall (if you're on cable/DSL, get a router and put in front of the
computer before the cable/dsl modem).

Then, if you want your old data back... put the old harddrive in as a
slave (note: if you're interested in figuring out or prosecuting the
person that compromised your machine, don't install it as a slave, go to
www.cert.org and learn what to do, in fact, it's probably a good idea to
go there anyway)... but if you MUST get your data off the drive, install
it as a slave, use My Computer and copy your data files, etc. If you
want, you can then trace the files down in the former OS/drive to find
the administrator you were looking for previously. 

-- 
Colonel Flagg
http://www.internetwarzone.org/
Privacy at a click:
http://www.cotse.net 
Q: How many Bill Gates does it take to change a lightbulb?
A: None, he just defines Darkness? as the new industry standard..."
"...I see stupid people."

Relevant Pages

  • Re: Unknown SID as Administrator
    ... clean install of everything. ... >> has it so that its not visible if you go to user accounts. ... But there was a third administrator ... But whose SID? ...
    (alt.computer.security)
  • Unknown SID as Administrator
    ... My home PC, running XP Home Edition, was hacked about a ... It told me that I had 3 administrator accounts. ... has it so that its not visible if you go to user accounts. ... But whose SID? ...
    (alt.computer.security)
  • Re: Permissions in XP
    ... >install programs but can't access the files of other users. ... >using Windows Explorer. ... Home edition, when you use NTFS, provides 'Simple File sharing' (It is ... on being installed by an Administrator. ...
    (microsoft.public.windowsxp.general)
  • Re: Application cant be installed
    ... > My computor uses XP Home Edition. ... > I get a very frustrating message when I try to install a program called ProShow ... > But I am already logged on as an administrator. ...
    (microsoft.public.windowsxp.photos)
  • Re: Draft I: Why You Dont Want to Install Software
    ... All these functions should be under the control of the system administrator. ... > idea of contacting your network consultant to install software probably ... > could install software. ... Windows 9x was notoriously unstable and fragile. ...
    (microsoft.public.windows.server.sbs)