Terminal Services / TsInternetUser [RMC-RUFLVP4]

From: Romulo M. Cholewa <rmc(at)rmc.eti.br>
Date: Sat Dec 14 2002 - 17:37:03 EST

Hail,

I have a Windows 2000 Server machine with a real IP address and 3389/tcp available. Since this morning, I've noticed lots of attempts (Security Eventlog) of someone trying to change the TsInternetUser password (no success, only failures).

I would like to know if there are any utilities that would enable someone to change this password (I think not), or any known attacks that might use any vulnerability in TS that would enable someone to gain access through this account.

The W2K server is fully patched.

Any ideas ? I temporarily configured TS to only accept connections from the internal network until I can find out the possibilities.

What is intriguing me is the fact that until now, I thought that anyone must be logged on to try to change a password. And only one user has TS granted (since this user is admin equiv, I don't think that it has been compromised: since it is admin equiv, if someone does know it's password, a natural course of action would be simply to create a new account).

Thanks in advance,

Romulo M. Cholewa
Home : http://www.rmc.eti.br
Forum: http://zeus.rmc.eti.br/forum
PGP Keys Available @ website.

    "Everything should be made as simple as possible, but not   
                  simpler." -- Albert Einstein                  

                                                                

                                                                


----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Sun Dec 15 16:26:17 2002