How does a web site harvest user names

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I beleive someone obtained my accounts "user names" from my xpsp2 box while I
was surfing the other day.
I have logon auditing turned on and noticed failed attempts to remote in
using all the valid user accounts on my machine. I was surfing just prior to
the attempts and am therefore guessing this is how they obtained the names.

I have both hardware and software (XP) firewall in place with only port 3389
open from the outside.
I am using the MyIE2 browser with popup and ad blocking enabled. Spybot with
Immunize turned on.
I was browsing as an admin ;-(

Anyone know how this happens and if it can be stopped?
Thanks
3 answers Last reply
More about site harvest user names
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Nato-
    At face value with what you have shared already, it is reasonable that you
    may have contracted a keylogger/spyware program onto your system. If you
    downloaded a file [esp while logged in as Administrator - definitely :-(((]
    and then executed that download, you may have been infected with one and
    subsequently be in VERY deep River-City trouble. If this is what happened,
    then all your passwords are suspect to have been reported to this hacker, too
    (can you remember which ones you HAVEN'T typed since you (may have) gotten
    infected?)

    A Freeware anti-spyware tool is Spybot Search and Destroy.
    Better, though, is Spysweeper (it can find about twice as many mal-wares as
    what Spybot can at last count; although both make regular updates to their
    definitions database). I like both for their own reasons so use them both.

    Webroot is the maker of Spysweeper (http://www.webroot.com/).
    They also offer a free online sweep of your system (Spy Audit - look in the
    upper right corner of the home page).

    It would be well worth your while to try this ASAP as a first step.

    Good luck!

    "Nato" wrote:

    > I beleive someone obtained my accounts "user names" from my xpsp2 box while I
    > was surfing the other day.
    > I have logon auditing turned on and noticed failed attempts to remote in
    > using all the valid user accounts on my machine. I was surfing just prior to
    > the attempts and am therefore guessing this is how they obtained the names.
    >
    > I have both hardware and software (XP) firewall in place with only port 3389
    > open from the outside.
    > I am using the MyIE2 browser with popup and ad blocking enabled. Spybot with
    > Immunize turned on.
    > I was browsing as an admin ;-(
    >
    > Anyone know how this happens and if it can be stopped?
    > Thanks
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Thank you for the post. I don't think I have a keylogger as I am running
    Spybot and the logon events were all failures. I suspect the perp just tried
    each account a single time for a blank password.
    My question is can you dump the account information via a web command. Is
    there a web app similar to the net user command? Perhaps a DSO exploit?

    "Danor" wrote:

    > Nato-
    > At face value with what you have shared already, it is reasonable that you
    > may have contracted a keylogger/spyware program onto your system. If you
    > downloaded a file [esp while logged in as Administrator - definitely :-(((]
    > and then executed that download, you may have been infected with one and
    > subsequently be in VERY deep River-City trouble. If this is what happened,
    > then all your passwords are suspect to have been reported to this hacker, too
    > (can you remember which ones you HAVEN'T typed since you (may have) gotten
    > infected?)
    >
    > A Freeware anti-spyware tool is Spybot Search and Destroy.
    > Better, though, is Spysweeper (it can find about twice as many mal-wares as
    > what Spybot can at last count; although both make regular updates to their
    > definitions database). I like both for their own reasons so use them both.
    >
    > Webroot is the maker of Spysweeper (http://www.webroot.com/).
    > They also offer a free online sweep of your system (Spy Audit - look in the
    > upper right corner of the home page).
    >
    > It would be well worth your while to try this ASAP as a first step.
    >
    > Good luck!
    >
    > "Nato" wrote:
    >
    > > I beleive someone obtained my accounts "user names" from my xpsp2 box while I
    > > was surfing the other day.
    > > I have logon auditing turned on and noticed failed attempts to remote in
    > > using all the valid user accounts on my machine. I was surfing just prior to
    > > the attempts and am therefore guessing this is how they obtained the names.
    > >
    > > I have both hardware and software (XP) firewall in place with only port 3389
    > > open from the outside.
    > > I am using the MyIE2 browser with popup and ad blocking enabled. Spybot with
    > > Immunize turned on.
    > > I was browsing as an admin ;-(
    > >
    > > Anyone know how this happens and if it can be stopped?
    > > Thanks
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Are you using the Welcome Screen to login (pictures and names versus the
    classic login dialog)?

    If so, see if the vents in the following KB article look familiar:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;305822.

    --
    Bob McCoy
    * This posting is provided "AS IS" with no warranties, and confers no
    rights.
    * Please note I cannot respond to email questions. Please use these
    newsgroups.


    "Nato" <Nato@discussions.microsoft.com> wrote in message
    news:7F4F8455-03B7-4101-8120-803C5F3947F1@microsoft.com...
    >I beleive someone obtained my accounts "user names" from my xpsp2 box while
    >I
    > was surfing the other day.
    > I have logon auditing turned on and noticed failed attempts to remote in
    > using all the valid user accounts on my machine. I was surfing just prior
    > to
    > the attempts and am therefore guessing this is how they obtained the
    > names.
    >
    > I have both hardware and software (XP) firewall in place with only port
    > 3389
    > open from the outside.
    > I am using the MyIE2 browser with popup and ad blocking enabled. Spybot
    > with
    > Immunize turned on.
    > I was browsing as an admin ;-(
    >
    > Anyone know how this happens and if it can be stopped?
    > Thanks
Ask a new question

Read More

Windows XP