[SOLVED] User's keep appearing in administrators group??

nj775 · 08-26-2008, 04:47 AM

Hello All

Over the last few weeks something very strange has ben happening with my server. (server 2003)

Every few days users ( that I have not created) keep on showing up in members of adminsitrators group? I keep on deleting these users but they keep on coming back!

I have Macaffe AV and a fire wall on the server but I think this is spyware?

the user names that appear are things like...sony...spy...pm...exit etc

what do you think I should do? run spybot or maybe adaware?

thanks in advance

Nick

**koala** · 08-26-2008, 08:48 AM

It does sound like an infection of some kind, but could also be one of your users messing about with profile settings.

How many legitimate users are on the network, and can they be trusted not to try to bypass your security settings? For example, if this is a work environment, admin rights would allow them to surf MySpace, play Flash games, install software, view private documents, etc.

Run some malware scans and if you find anything that can't be fixed, post back to the HJT forum so our analysts can see what's going on.

Have you tried auditing the new accounts to see what the user is doing?

From http://support.microsoft.com/kb/300549

Quote:

Auditing Events in Windows 2000 Server

Auditing to Detect Unauthorized Access

You can detect unauthorized access attempts in the Windows Security log, these attempts can appear as warning or error log entries. You can also archive these logs for later use.

To detect possible security problems by reviewing the Windows Security log:
1. Click Start, point to Settings, and then click Control Panel.
2. Double-click Administrative Tools, and then double-click Computer Management.
3. Expand System Tools, and then expand Event Viewer.
4. Click Security Log.

NOTE: If you are not able to view the Security log, the user account that you are using does not have the privileges to do so. This issue occurs because the domain-level security policies override the local computer-level security policies, which means that you can be logged on as the administrator of your local computer, but not have access to the computer's security log. To obtain these permissions, see your network administrator. For more information about security policies, see the Windows documentation.
5. Inspect the logs for suspicious security events, including the following events:
• Invalid logon attempts.
• Unsuccessful use of privileges.
• Unsuccessful attempts to access and modify .bat or .cmd files.
• Attempts to alter security privileges or the audit log.
• Attempts to shut down the server.

From http://www.lockergnome.com/it/2004/1...2003-auditing/

Quote:

* Audit Account Logon Events: Tracks user logon and logoff events.
* Audit Account Management: Reports changes to user accounts.
* Audit Directory Service Access: Reports access and changes to the directory service. If the system is a member server or XP system, directory service is NTLM-based, and consists of user accounts and group policies.
* Audit Logon Events: Reports success/failure of any local or remote access-based logon.
* Audit Object Access: Reports file and folder access. Must be implemented here, and then the individual file/folder must be configured for auditing within its properties in order to fully enable this feature.
* Audit Policy Change: Reports changes to group policies.
* Audit Privilege Use: Related to Audit Object Access: reports when permissions are utilized such as read, or full control.
* Audit Process Tracking: Reports process and program failures. Not security related.
* Audit System Events: Reports standard system events. Not security related.

nj775 · 08-26-2008, 09:25 AM

Hi thanks for the reply

to be honest I dont think its one of the user's...I have about 60 users on the network but none would need to or be capable of that.

I have checked all the security logs and there are no suspicious events??

But I'm going to run some malware scans and let you know how I get on

Thanks for your help

nj775 · 08-27-2008, 03:08 AM

Ran a scan on the server lastnight and my spyware doctor pciked up a trojan "online games"....anyway since then I have not had any new admins appear in the group...so fingers crossed!

let you know in soon if we can close this!

thanks

**blah789** · 08-28-2008, 11:09 AM

Reminds me of the old exploit in Windows NT: getadmin and sechole. Anyone (even guests!) could run the command and add themselves to the administrators group. Quickly patched, but freaky as heck.
Be sure your server is all patched up, and enable DEP to protect from remote buffer overflow attacks.

nj775 · 08-29-2008, 02:41 AM

yep this problem can be closed now guys it looks like it was spyware in the end!

thanks

Nicky

08-26-2008, 04:47 AM	#1 (permalink)
nj775 Registered User Join Date: Jan 2007 Location: Swansea, Wales, UK Posts: 36 OS: winxp	[SOLVED] User's keep appearing in administrators group?? Hello All Over the last few weeks something very strange has ben happening with my server. (server 2003) Every few days users ( that I have not created) keep on showing up in members of adminsitrators group? I keep on deleting these users but they keep on coming back! I have Macaffe AV and a fire wall on the server but I think this is spyware? the user names that appear are things like...sony...spy...pm...exit etc what do you think I should do? run spybot or maybe adaware? thanks in advance Nick

08-26-2008, 09:25 AM	#3 (permalink)
nj775 Registered User Join Date: Jan 2007 Location: Swansea, Wales, UK Posts: 36 OS: winxp	Re: User's keep appearing in administrators group?? Hi thanks for the reply to be honest I dont think its one of the user's...I have about 60 users on the network but none would need to or be capable of that. I have checked all the security logs and there are no suspicious events?? But I'm going to run some malware scans and let you know how I get on Thanks for your help

08-27-2008, 03:08 AM	#4 (permalink)
nj775 Registered User Join Date: Jan 2007 Location: Swansea, Wales, UK Posts: 36 OS: winxp	Re: User's keep appearing in administrators group?? Ran a scan on the server lastnight and my spyware doctor pciked up a trojan "online games"....anyway since then I have not had any new admins appear in the group...so fingers crossed! let you know in soon if we can close this! thanks

08-28-2008, 11:09 AM	#5 (permalink)
blah789 TSF Enthusiast Join Date: Aug 2008 Posts: 2,294 OS: Windows 2000 SP4 and Windows XP SP3	Re: User's keep appearing in administrators group?? Reminds me of the old exploit in Windows NT: getadmin and sechole. Anyone (even guests!) could run the command and add themselves to the administrators group. Quickly patched, but freaky as heck. Be sure your server is all patched up, and enable DEP to protect from remote buffer overflow attacks.

08-29-2008, 02:41 AM	#6 (permalink)
nj775 Registered User Join Date: Jan 2007 Location: Swansea, Wales, UK Posts: 36 OS: winxp	Re: User's keep appearing in administrators group?? yep this problem can be closed now guys it looks like it was spyware in the end! thanks Nicky