Re: Unknown SID as Administrator
From: Colonel Flagg (colonel_flagg_at_NOSOUPFORJ00internetwarzone.org)
Date: Sun, 19 Oct 2003 21:12:53 -0400
In article <email@example.com>,
> Background: My home PC, running XP Home Edition, was hacked about a
> month ago. I was only running the ICF and I think they got in on
> ports in the uppper 3100s and low 3200s. I found 3 users set up in my
> Network Neighborhood. I deleted them and took action such as
> installing Zone Alarm Pro. But they left a keystroke logger behind
> because my brand new credit card got compromised right after the first
> time I used it for a web purchase. When I discovered the fraud, I
> bought Pest Patrol, found the keystroke logger and deleted it.
> Current Problem: I downloaded and ran Microsoft's Baseline Security
> Analyzer. It told me that I had 3 administrator accounts. One was
> the internal administrator that is named "Administrator" - Microsoft
> has it so that its not visible if you go to user accounts. One of the
> other administrators is me - that makes sense. I'm listed as an
> administrator in user accounts. But there was a third administrator
> with no name except a huge number. This adminstrator is not listed as
> a user.
> So, I bought a book about XP, which I should have done a year ago, and
> figured out that this huge number is an SID. But whose SID?
> I downloaded getsid and whoamI from the windows 2000 resource kit.
> The SID that is being listed, ending in -1006, is not listed by getsid
> or whoami. I can see the built in SIDs, my SID, a couple for support.
> But this -1006 SID is not coming up.
> What do you think? How can I figure out who this administrator is?
> How can I determine if it's active? How do I delete it? Do you think
> it was one of the hackers I deleted out of my network neighborhood?
> Obviously, I've become very paranoid about my PC's security. But
> right now, with an unknown SID list as an administrator, I'm
> Thanks in advance!
First, there's no guarantee that the Windows 2000 Resource Kit programs
are 100% affective with XP.
Second, you should NEVER put a once-compromised machine back online,
that's idiocy. You should have and SHOULD do so now, backup your machine
or even better, replace the harddrive. Install a new drive, new
operating system and start from scratch, securing the machine before you
put it online... patching, etc. (you can download all patches via
another machine, burn to cd, patch your machine). Install a proper
firewall (if you're on cable/DSL, get a router and put in front of the
computer before the cable/dsl modem).
Then, if you want your old data back... put the old harddrive in as a
slave (note: if you're interested in figuring out or prosecuting the
person that compromised your machine, don't install it as a slave, go to
www.cert.org and learn what to do, in fact, it's probably a good idea to
go there anyway)... but if you MUST get your data off the drive, install
it as a slave, use My Computer and copy your data files, etc. If you
want, you can then trace the files down in the former OS/drive to find
the administrator you were looking for previously.
-- Colonel Flagg http://www.internetwarzone.org/ Privacy at a click: http://www.cotse.net Q: How many Bill Gates does it take to change a lightbulb? A: None, he just defines Darkness? as the new industry standard..." "...I see stupid people."