[Dshield] User accounts discovered please help!!!

allan.vanleeuwen@orangemail.nl allan.vanleeuwen at orangemail.nl
Tue Mar 16 08:52:23 GMT 2004

Most likely you don't block port 139 and 445 on the internet side of your
box, and have not disabled NULL sessions in either the registry or through
policies. This means a NULL session can be established to your machine and
lots of information can be enumerated through that session such as : user
names, user sids, groups, machine names, share names.

Read more info and how to disable it here :


Good luck !

-----Original Message-----
From: Chris Mitchell [mailto:cmitchell at smtusa.com] 
Sent: maandag 15 maart 2004 20:10
To: 'General DShield Discussion List'
Subject: [Dshield] User accounts discovered please help!!!

We have several Windows 2000 Servers, all latest patches and service packs
have been applied, Symantec Corporate with latest definitions loaded.  We
recently found in our logs that someone is trying to get into our servers
through valid user accounts.  I saw a recent post about this but all I can
remember is that it was suggested that NetBIOS was running on the system and
it was exploited there.  We only have TCPIP installed, can anyone on the
list offer an explanation as to how our user accounts were found.  Every
account was tried from the IUSR_Machine name to an ASP_Net account to the
admin account, which had been renamed previous to this happening.

Any help is greatly appreciated.


list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is alleen
bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt,
wordt u verzocht de inhoud niet te gebruiken en de afzender direct te
informeren door het bericht te retourneren. Hoewel Orange maatregelen heeft
genomen om virussen in deze email of attachments te voorkomen, dient u ook
zelf na te gaan of virussen aanwezig zijn aangezien Orange niet
aansprakelijk is voor computervirussen die veroorzaakt zijn door deze

The information contained in this message may be confidential and is
intended to be only for the addressee. Should you receive this message
unintentionally, please do not use the contents herein and notify the sender
immediately by return e-mail. Although Orange has taken steps to ensure that
this email and attachments are free from any virus, you do need to verify
the possibility of their existence as Orange can take no responsibility for
any computer virus which might be transferred by way of this email.

More information about the list mailing list