[Dshield] User accounts discovered please help!!!

Brenden Walker BKWalker at DRBSystems.com
Mon Mar 15 19:56:06 GMT 2004

> -----Original Message-----
> From: Chris Mitchell [mailto:cmitchell at smtusa.com] 
> We have several Windows 2000 Servers, all latest patches and 
> service packs have been applied, Symantec Corporate with 
> latest definitions loaded.  We recently found in our logs 
> that someone is trying to get into our servers through valid 
> user accounts.  I saw a recent post about this but all I can 
> remember is that it was suggested that NetBIOS was running on 
> the system and it was exploited there.  We only have TCPIP 
> installed, can anyone on the list offer an explanation as to 
> how our user accounts were found.  Every account was tried 
> from the IUSR_Machine name to an ASP_Net account to the admin 
> account, which had been renamed previous to this happening.

Sounds like your permissions to the SAM database are allowing anon reads
(the default I think up until WinXP?) there are a variety of tools that will
attach to the SAM on a remote computer and dump the list of accounts.

I'd suggest getting copy of Retina from eEye
(http://www.eeye.com/html/Products/index.html) and using that to test your
servers, from what I remember it does a pretty good job and even tells you
exactly how to plug the holes it finds.

More information about the list mailing list