Security Incidents mailing list archives
Re: strange account in Win2k
From: Kevin <kevin () ktstone com>
Date: Tue, 28 May 2002 17:20:13 -0400
I have seen this before as well. I know that this sounds strange but could you detect a change in hair color of the icon? Grey hair representsan account that has been modified but replication has not yet been completed. A SID of 1008 at the end usually represents an account that us user defined. The group membership of the account is interesting. The "Network" group is a System related group that is self generated like the everyone group as well as the interactive group. I might be a little in left field but a sid ending in 1008 is the 7th account you created. You might want to run user2sid/sid2user to determine which acount it was. my 2 cents. kevin Dan Cuthbert wrote:
Is this machine part of a Domain? if so that is normally the domain acc * Mark Fagan (Mark.Fagan () esat com) Tapped away:While setting additional privileges on a Win2k webserver I noticed that certain privileges (logon as batch job, act as part of o/s, logon locally and network) were applied to a very strange account - *S-1-5-21-527237240-162531612-725345543-1008 which is not seen as a user account. Any ideas folks ? Mark Fagan TDA Esat Business 1 Grand Canal Quay Dublin 2, Ireland. E mark.fagan () esat com www.esatbusiness.com ************************************************************************ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. http://www.esatbusiness.com Subscribe to the Esat Business Online Magazine: http://www.esatbusiness.com/news/subscribe.asp Subscribe to REALISE - the online magazine from BT Ignite: http://www.btignite.com/realise ************************************************************************ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.comDan Cuthbert Network Security Consultant IdSec Key fingerprint = 9BFB 60F1 1B46 F9F0 4E2C 84A6 8D04 E771 54A6 1116 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
-- v/r Kevin Steiner MCT, MCSE, MCSA, MCDBA -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP 6.5.8 mQENAzzM1coAtAEIAMqRBVu8bA/eEEcqGyFQ0pwuc22wvV5cpeE5LVcgjwXabdV1 A3pVzEAJsuGTrq77VcQTwusmCcZPErQXx0IQRyIrWRm0oukJsN7ZR3k5uv58F26G 8JUW2TYzBGmpb0EzR/LphNqG71958ZEvWaxS6Ks1FCyopU51MmF7daDJ89pXrCwY lXp2pojKFP+aqYZ+abGRXNyNrRhfsmmIo+Vl5jZ/5INPuWThI1J1wj8eyQiVeXAc V9ZuTKxWGPnRkWiuwLl3lEkQtDqcYcGM+FOgxfhMHb97jYF5kbFTmpLs4BRroqNp i6B4dMRZgGx1d/0jDpmQ0zkHR3akTv4W7qK4ogUABRG0JEtldmluIFQuIFN0ZWlu ZXIgPGtldmluQGt0c3RvbmUuY29tPokBFQMFEDzM1cpO/hbuoriiBQEBXn8H/iGw RBEq/tCJdm3BPq/Gf8vA3872QM3c9ri90NgP9Ixh//Mxp8F+57nsjp/2fcOQs3xl g9gwGENc4Q8iDJgnMF3vfyeI/VL/XZfHJqEfDAASU3SLJca4qC0NISMF4B7L8OrQ d86oGjUczBcofZQJEUhfvc3ztbNoPm4+xZKWDgtIrpiqdYGTMd5Vr3P0ImKQnpSm JVr8r3Cb5YZteRRsDNuTlGuOPIqIKyc10TH5r0g50j953oZbIlA2EtTOrLIqccHH r/kZrO9Y6Rl6lCLLW36QkUXAJWJGFIlb6n5fHUboUFdTPx+/S/BfV1LIQdanmn2v 8hlIbwRF7gqIQQDIFKY= =DD3g -----END PGP PUBLIC KEY BLOCK----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- strange account in Win2k Mark Fagan (May 28)
- RE: strange account in Win2k AJ Decker (May 28)
- RE: strange account in Win2k Rick Darsey (May 28)
- Re: strange account in Win2k Dan Cuthbert (May 28)
- Re: strange account in Win2k Kevin (May 28)
- <Possible follow-ups>
- RE: strange account in Win2k Admiraal, J.E. (CDIV) (May 28)
- Re: strange account in Win2k Maxime Ducharme (May 28)
- RE: strange account in Win2k Kit (May 28)
- Re: strange account in Win2k Maxime Ducharme (May 28)
- RE: strange account in Win2k dlaumann (May 28)
- RE: strange account in Win2k Mark Fagan (May 29)