lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <F9C0B32C4FFE7147BD0FF6A40BE806E701AD12@Hammer_Exchange.hammerofgod.com>
Date: Wed, 28 Nov 2007 09:31:22 -0800
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: <bugtraq@...urityfocus.com>
Subject: RE: Win2K3 Priv Escalation

It's good that he got it running (it's easy enough with physical
access), but your friend should probably plan for a rebuild in the near
future, or at least a comprehensive audit against the systems.  If the
ex-admin deleted accounts and changed passwords (which, btw, will land
him in jail if the company follows through with it as they should) then
you have no idea what else he's done to compromise the DC or any other
system he has access to.  It's probably too late to depend on any
forensic information to build a case against any additional damages
(since your friend has already stepped on the file system and AD) - but
who knows, a plea bargain including reparation for expenses could cover
the costs for them.

Bottom line is that the integrity of the install is compromised, and
you'll have no effective way of determining what level of trojans,
rootkits, malware, etc he has in place given his obvious propensity for
criminal behavior.  Leaving things "as is" and moving forward could be a
mistake.

t

> -----Original Message-----
> From: Justin@ESC [mailto:justin@...racing.com]
> Sent: Wednesday, November 28, 2007 5:12 AM
> To: bugtraq@...urityfocus.com
> Subject: Re: Win2K3 Priv Escalation
> 
> 
>     Thanks for all the replies, he got himself in, and they should be
> contacting local authorities or at least a lawyer today. It's a
> manufacturing company and for some reason 2 of the key services were
> ran
> under a user acct that once had admin permissions, without the
> administrative rights it wouldn't run and it couldn't be switched over
> to a system service because no one had rights to do so. A days worth
of
> work down the drain, gotta love rogue employees is all i can say.
> 
> Thanks again :)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ