Re: PLEASE help me I D this...

From: Jeff Cochran (jcochran.nospam@naplesgov.com)
Date: 01/27/03 

From: jcochran.nospam@naplesgov.com (Jeff Cochran)
Date: Mon, 27 Jan 2003 16:25:59 GMT

>Apparently, my workgroup has been hacked/infected. First I noticed my
>workgroup was made a part of a domain and I noticed user group "NT
>Authority," beginning to appear on permissions and services under Log On -->
>This Account (NT Authority) --> Allow Service to Interact with desktop was
>checked, when these setting had Never been configured that way before.
>The virus/hack working through The NT Authority group seemed to be taking
>over my system as it was increasingly appearing in new Services and newly on
>object permissions. The virus/hack/whatever did not allow any local users
>to log on locally because their accounts were all set to "disabled," except
>for one admin user account, which I was using to correct the problem. My
>Norton Antivirus was disabled and the virus escalated when I took corrective
>action (restoring permissions to shares and enabling user accounts). It
>was apparent that my computer was forced to become part of a domain, and I
>learned that I was dealing with Group Policy (which I did not implement) and
>NOT the original Local Computer Policy (which I did implement). This all
>resulted in restricted access to certain shares and eventually destroying
>some shares altogether, with users permissions completely modified, AND not
>allowing the permissions to be modified by the admin user account,
>whichstill has limited access.
>
>A little information about my system:
>Windows 2000 Professional
>All are NTFS parts and one FAT partition, none are extended partitions
>IIS is running
>Norton Antivirus, Zone Alarm,
>Indexing, Msmq, RIP

>Please coment on what is this.. Anyone face something like this? Please
>help.

You have several vulnerable processes on your system, have you kept
current on patches? What do your firewall logs show?

Most likely it's inept administration attempts, since these symptoms
are common when funble-fingered admins start playing with security
settings, but it could be a hack. Start here:

http://securityadmin.info/

Jeff

Relevant Pages

  • PLEASE help me I D this...
    ... my workgroup has been hacked/infected. ... Authority," beginning to appear on permissions and services under Log On --> ... for one admin user account, which I was using to correct the problem. ... was apparent that my computer was forced to become part of a domain, ...
    (microsoft.public.inetserver.iis.security)
  • What is this?
    ... my workgroup has been hacked/infected. ... Authority," beginning to appear on permissions and services under Log On --> ... for one admin user account, which I was using to correct the problem. ... was apparent that my computer was forced to become part of a domain, ...
    (microsoft.public.security)
  • Re: Workgroup information file problem
    ... the workgroup administrator to check which workgroup you're joined to, ... database pretty much like the one I already created for company one. ... lot of playing around with the various permissions on various objects. ... shift key while double clicking on the file name instead of the shortcut? ...
    (microsoft.public.access.security)
  • Re: RWW - Local Policy connect to desktop issue
    ... it seems as if it is infact something with that user account. ... permissions as well as the replace permissions. ... only difference I see is in the logon script. ... firewall properties and enabled the Remote Desktop service. ...
    (microsoft.public.windows.server.sbs)
  • Re: SHAREPOINT AND RWW ISSUES
    ... Is there a way to go to each domain user account, ... web designer group, or reset their permissions. ... is reader, and all individual users have been deleted. ... Everything is running on this one box (EXCHANGE, COMPANYWEB, ...
    (microsoft.public.windows.server.sbs)