Re: Is it really true that NTFS is secure?

From: George Hester (hesterloli@hotmail.com)
Date: 12/16/02 

From: "George Hester" <hesterloli@hotmail.com>
Date: Mon, 16 Dec 2002 15:12:04 -0500

You used a valid Windows file name w32tm.exe for your imposter and put it in C:\WINNT? I have that file in C:\WINNT\system32 and it is called Microsoft® Win32 Time Service.

Well I look at both those Run keys; HKLM; HKCU. I actually have only two things which are in HKCU Run:

Name: internat.exe
Type: REG_SZ
Data: internat.exe

(I tried removing this once; it is necessary for me to connect to the Net or something it wasn't nice)

The other is:

Name: msnmsgr
Type: REG_SZ
Data: "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

Of course this is MSN Messenger.

Maybe this internat.exe is not the correct file? Keyboard Language Indicator Applet Copyright (C) Microsoft Corp. 1994-1999 5.0.2920.0

I don't know. I looked in my W3SVC1 Logs. I know Nimda but I am seeing the strangest stuff in there now. All 404 or 500 but disturbing nevertheless:

2002-12-16 00:38:37 127.0.0.1 GET /ad/N1942.MSN/B1075680.22;sz=120x30;ord=21285 404 3 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.0.3705) (Looks like .NET or something ) oh screw this I know what it is. It's my hosts. See everything seems to be leading down a dead road.

The next time this enabling of the User Guest happens I will go into the IIS logs and see if there is a correcpondance with the actions in the Event Viewer.

One last thing. You know what? I have been tested to see if my SMTP server is routing. It's not but the scanner accused me of sending mails that made it look like I was allowing routing. They even had a ip address to check to see if I was banned or not. No wasn't banned. But they scanned me three times in the space of a few minutes. The scans are in my Drop folder.

You know something moving from the Server to Professional has been a NIGHTMARE! 

-- 
George Hester
__________________________________
"B. Goodman" <no@spam.org> wrote in message news:MPG.1867f3b572e42e9e9896d4@msnews.microsoft.com...
> In article <On9tyFTpCHA.1236@TK2MSFTNGP12>, hesterloli@hotmail.com 
> says...
> > This is why I hate these Anti Virus Programs.  It's because they use a =
> > minimum of test to determine if a machine is infected.  Case in point.
> > 
> > I had an issue that something called TaskReg which was a string and =
> > called an executable w32com.exe.  This file was in =
> > %SystemRoot%\System32.  I removed that file AND put a login\logout =
> > shutdown\startup script so that TaskReg got written to the Run key in =
> > HKLM without any value.
> > 
> > I just did a test.  Sure enough with this empty string the AV is telling =
> > me I am infected with the Malware BKDR_TASKREG.A
> > 
> > Now this is a bunch of hocum.  This tells me that all I would have to do =
> > is pick any virus on Earth that is known to write a entry to the HKLM =
> > Run key put the entry in as a empty string and AV software is going to =
> > tell me I am infected with that virus.  And then tell me I have been =
> > cleaned because they removed that entry.  Come on.  Hocum crap.
> > 
> > I am finding not a damn thing in this machine.  Nothing.  I looked =
> > through all the services that load at boot nothing out of the ordinary.  =
> > There are some services that are starting that are not Microsoft =
> > Services but these are from respectable companies.  At least I think =
> > they are.
> > 
> > It is the Administrator account that is enabling the user Guest.  I see =
> > it in my Event Logs.  First IUSR_Machine name signs on.  Then about 3 =
> > minutes later Administrator renables the User Guest.  Changes the =
> > password too.  Then sometimes adds this user to the Administrator Group. =
> >  Then IUSR_MachineName logs off.  Now for all I know this logon by =
> > IUSR_MachieName could be me testing my site.  Also this changing of the =
> > User Guest account will occur many times.  As if doing it once is not =
> > enough.
> > 
> > I am not sure what I am going to do to stop this.  When I ran Windows =
> > 2000 Server SP2 I NEVER had this issue.  NEVER. And it seems to me if =
> > this was an "infection" this would have appeared on the NET long ago.  =
> > Distraught.
> > 
> > --=20
> > George Hester
> > __________________________________
> > "B. Goodman" <no@spam.org> wrote in message =
> > news:MPG.1867beebaa02566f9896d3@msnews.microsoft.com...
> > > In article <u5dL92toCHA.1888@TK2MSFTNGP09>, hesterloli@hotmail.com=20
> > > says...
> > > > "Lock Forever"  How?  I see it in minutes.  Forever is quite a few =
> > =3D
> > > > minutes.  This also looks like lockout will be true for all =
> > Accounts.
> > > >=20
> OK, this may be WAY obvious, and you've probably already checked, but 
> have you looked at the Run registry key for HKCU when you are logged in 
> as the admin account that is causing this issue?  It seems difficult to 
> believe that nobody else has reported this behavior, so it still seems 
> likely to be malware.
> 
> I once proved this point to one of our security experts on his test LAN.  
> I used my "restricted user" account to put a small program into a TEMP 
> directory and write a key to the HKLM Run key (which hadn't been locked 
> out!).  It would run for every user who logged in.  It would test to see 
> if the user logging in was a domain admin.  If not, it would simply 
> exit.  If he was an admin, it would copy itself to c:\winnt under the 
> name of w32tm.exe.  It would add my restricted user account to "Domain 
> Admins".  It would unlock the account if locked out.  It then removed 
> itself from HKLM Run and added itself to HKCU Run.  Because it was named 
> w32tm.exe, even if noticed in the Run key, it wouldn't immediately 
> attract attention among all the other items that start from there.  
> Antivirus software ignored it.  Once I showed him I had gained admin 
> rights in his lab, it didn't take him long to find it, but I think that 
> was mainly because I showed him I had those rights.
> 
> You might want to verify EVERY executable in HKCU Run, HKLM Run, 
> Startup, etc. to be sure it is still the correct program.

Relevant Pages

  • Re: Is it really true that NTFS is secure?
    ... > This is why I hate these Anti Virus Programs. ... > HKLM without any value. ... > It is the Administrator account that is enabling the user Guest. ... if the user logging in was a domain admin. ...
    (microsoft.public.security)
  • Re: Incoming E-Mail - cant create contact in OU
    ... central admin pool different than the web app. ... that account a little (if the web app is compromised or something, ... So I started with giving the app pool account domain admins permissions then ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Security Breach in AD! Help!
    ... > about 5 minutes the user was removed from the built in admin group. ... > changed the default domain policy, the default domain controller policy, ... >> auditing of account logon for success and failure and account management ... >> success and failure in Domain Controller Security Policy. ...
    (microsoft.public.win2000.security)
  • Re: cant verify disk
    ... She went to DU, and when she pressed "verify disk", it asked her user ... Disk Utility has required an administrator name and password for certain ... This is clearly a task which requires admin privileges, ... seriously mucked up with her user account settings in the NetInfo ...
    (comp.sys.mac.system)
  • Re: Wscript within VBA
    ... One box is running VBA code,. ... One box is a domain controller, or has an account trusted to manipulate AD ... >> It posts a form to an ASP page, ... >> Since what you want to do sounds like it will require admin privileges, ...
    (microsoft.public.vb.database)