[Dshield] User accounts discovered please help!!!
BKWalker at DRBSystems.com
Mon Mar 15 19:56:06 GMT 2004
> -----Original Message-----
> From: Chris Mitchell [mailto:cmitchell at smtusa.com]
> We have several Windows 2000 Servers, all latest patches and
> service packs have been applied, Symantec Corporate with
> latest definitions loaded. We recently found in our logs
> that someone is trying to get into our servers through valid
> user accounts. I saw a recent post about this but all I can
> remember is that it was suggested that NetBIOS was running on
> the system and it was exploited there. We only have TCPIP
> installed, can anyone on the list offer an explanation as to
> how our user accounts were found. Every account was tried
> from the IUSR_Machine name to an ASP_Net account to the admin
> account, which had been renamed previous to this happening.
Sounds like your permissions to the SAM database are allowing anon reads
(the default I think up until WinXP?) there are a variety of tools that will
attach to the SAM on a remote computer and dump the list of accounts.
I'd suggest getting copy of Retina from eEye
(http://www.eeye.com/html/Products/index.html) and using that to test your
servers, from what I remember it does a pretty good job and even tells you
exactly how to plug the holes it finds.
More information about the list