Re: Mysterious "Support" account created on Win2k server

From: Floydman <floydman(at)iquebec.com>
Date: Fri Jan 03 2003 - 13:35:39 EST

I made a tool that could probably help you to at least determine the actions taken by the intruder, if not the means of intrusion itself. It is a command prompt logger that I had the idea after reading Lance Spitzner's papers. It is called Comlog, it is made in perl and a compiled version is available at my site securit.iquebec.com. In order to make it run under Win2K, you have to disable the Windows File Protection System (a "feature" that did not exist in NT), because Comlog has to replace cmd.exe in order to capture what is fed into it. Since actions to disabling Windows FPS are different depending on your service pack level, I'll forward you to this Google search for more information about it: http://www.google.ca/search?q=disabling+windows+file+protection+system&ie=UTF-8&oe=UTF-8&hl=en&meta=

This tool works by replacing the real cmd.exe and capturing all the commands sent to it, then passing it to a remaned command prompt for execution, and captures the output before displaying it on the screen (or STDOUT). If your intruder passes his commands by the command prompt, you can determine his course of actions. Since your machine is already compromised, you'd have to make sure that any other copies of cmd.exe (ie root.exe) are also replaced by Comlog to be effective. That is, this is if you're at all concerned abut this kind of info at this point with this incident. Still, it could help you when you set up a new machine, just in case this happens again.

Hope this helps.

Floydman

At 04:03 PM 02/01/2003, Scott Fendley wrote:
>I have seen a number of these. In every case I have found on our campus,

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Fri Jan 3 16:58:51 2003