Security Basics mailing list archives
RE: unknown user on home computer
From: "Murda Mcloud" <murdamcloud () bigpond com>
Date: Mon, 3 Mar 2008 07:48:58 +1000
Does anyone else have access to the machine(physical access?). I can see a user called david. Before you bought the router, was there any kind of firewall and/or anti-virus installed? Are there any strange users on the laptop? Have you since run any anti virus/spyware/rootkit scans? Do you have any kind of peer to peer software that you use(eg LimeWire bearShare etc)
It's possible I have utilized some online program to gather information on my system which created those files
Does this mean you're not sure if you ever did this? Is this a lenovo laptop?
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Margaret Wolfe-Roberts Sent: Sunday, March 02, 2008 1:18 AM To: security-basics () securityfocus com Subject: unknown user on home computer Hello, I am a home user with one laptop and one desktop and I'm hoping you can help me with a security concern. Recently I installed a router in order to share the Internet connection. In the process of learning to enable File Sharing I clicked on some stuff and the desktop generated a list of users that includes a username I have never seen before, a strange one called "ratnkwCNHERF". When I did a whole-computer search to find out more, the search generated a list of three files where the same term is used, all in the C://SWSHARE folder. I checked the three files: egathcmp.xml, egath.xml and eGathComp.html (Firefox doc). They seem to be reviews of the overall system. It's possible I have utilized some online program to gather information on my system which created those files. The html file is entitled Gathered Information for [computer name] and includes this information about users: Workstation Security . User Accounts User ID/Name/Password Set/Password age in days/Privilege Level/Disabled/Password Not Required/Cannot Change Password/Locked Out/ Password Never Expires/Password Expired 2700 true 97 Administrator false true
false
false true false Administrator true 480 Administrator true
false false
false true false David David true 0 User false
false false
false true false Guest true 0 Guest false true
true
false true false od2700 Margaret true 97 User false true
false
false true false ratnkwCNHERF ratnkwCNHERF true 55 Administrator false false false false false true Here I find out that the "rat" user has Administrator privileges and appears to have had a password created AFTER I set passwords for myself and the administrator account as I know it -the "2700" account (password age 55 days vs 97 days). I purchased the computer last October from Office Depot. However, the table also indicates the "rat" user's password is expired, though the account is not disabled. I also notice that there is an extra Administrator account (now disabled) listed separately from the account I know as administrator (2700) which appears to long predate my purchase of the computer (password age 480 days). Is there some benign explanation for this mysterious user (who still shows up as an option for sharing my files with) or have I uncovered evidence of some kind of security breach of my computer? How and for what purpose would this extra user account have been created, and without my knowledge? I will be truly grateful for any insight you can share with me. Margaret Wolfe-Roberts
Current thread:
- unknown user on home computer Margaret Wolfe-Roberts (Mar 01)
- RE: unknown user on home computer Murda Mcloud (Mar 03)
- Re: unknown user on home computer p1g (Mar 04)