|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
more info on a hopefully unsuccessful compromise
From: LiNERROR (linerror
stx.rr.com)
Date: Sat Jul 12 2003 - 04:15:30 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
upon running an audit on one of my networks Retina 4.90 discovered two
systems, running windows 2000 pro, with sp3 and all updates with what
appeared to be multiple administrator accounts.
snip ---
Accounts: User: Administrator Pass: rotartsinimdA - Account password
reverse of account
Accounts: User: Administrator Pass: Administrator - Account password same
as account
Accounts: User: Administrator Pass: - Account with no password
snip ---
However the system shows no evidence of these accounts in the user
manager... but the accounts are there.
i can connect to the system using my specified Account and password... AND
the three above.
Only these two machines have ghost accounts that i know of, due to my
network setup i do not think anything has owned these to machines just
yet... i checked my traffic logs and nothing has left these two machines
over the network.
I've never seen this before and was wondering if anyone knew anything than
might help me figure out what has cause this and
1.) how i can remove these ghost accounts? (they don't show up under the
user manager)
2.) how would i be able to find other ghost accounts since Retina only
scans for default accounts?
3.) How can i DISABLE the administrator account in 2k? (i get an error
message when i try and disable it that the account can not be disabled)
All help is appreciated
----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]