Sign in with
Sign up | Sign in
Your question

How does a web site harvest user names

Last response: in Windows XP
Share
December 28, 2004 8:53:02 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I beleive someone obtained my accounts "user names" from my xpsp2 box while I
was surfing the other day.
I have logon auditing turned on and noticed failed attempts to remote in
using all the valid user accounts on my machine. I was surfing just prior to
the attempts and am therefore guessing this is how they obtained the names.

I have both hardware and software (XP) firewall in place with only port 3389
open from the outside.
I am using the MyIE2 browser with popup and ad blocking enabled. Spybot with
Immunize turned on.
I was browsing as an admin ;-(

Anyone know how this happens and if it can be stopped?
Thanks
Anonymous
December 29, 2004 1:49:06 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Nato-
At face value with what you have shared already, it is reasonable that you
may have contracted a keylogger/spyware program onto your system. If you
downloaded a file [esp while logged in as Administrator - definitely :-(((]
and then executed that download, you may have been infected with one and
subsequently be in VERY deep River-City trouble. If this is what happened,
then all your passwords are suspect to have been reported to this hacker, too
(can you remember which ones you HAVEN'T typed since you (may have) gotten
infected?)

A Freeware anti-spyware tool is Spybot Search and Destroy.
Better, though, is Spysweeper (it can find about twice as many mal-wares as
what Spybot can at last count; although both make regular updates to their
definitions database). I like both for their own reasons so use them both.

Webroot is the maker of Spysweeper (http://www.webroot.com/).
They also offer a free online sweep of your system (Spy Audit - look in the
upper right corner of the home page).

It would be well worth your while to try this ASAP as a first step.

Good luck!

"Nato" wrote:

> I beleive someone obtained my accounts "user names" from my xpsp2 box while I
> was surfing the other day.
> I have logon auditing turned on and noticed failed attempts to remote in
> using all the valid user accounts on my machine. I was surfing just prior to
> the attempts and am therefore guessing this is how they obtained the names.
>
> I have both hardware and software (XP) firewall in place with only port 3389
> open from the outside.
> I am using the MyIE2 browser with popup and ad blocking enabled. Spybot with
> Immunize turned on.
> I was browsing as an admin ;-(
>
> Anyone know how this happens and if it can be stopped?
> Thanks
December 29, 2004 10:07:03 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Thank you for the post. I don't think I have a keylogger as I am running
Spybot and the logon events were all failures. I suspect the perp just tried
each account a single time for a blank password.
My question is can you dump the account information via a web command. Is
there a web app similar to the net user command? Perhaps a DSO exploit?

"Danor" wrote:

> Nato-
> At face value with what you have shared already, it is reasonable that you
> may have contracted a keylogger/spyware program onto your system. If you
> downloaded a file [esp while logged in as Administrator - definitely :-(((]
> and then executed that download, you may have been infected with one and
> subsequently be in VERY deep River-City trouble. If this is what happened,
> then all your passwords are suspect to have been reported to this hacker, too
> (can you remember which ones you HAVEN'T typed since you (may have) gotten
> infected?)
>
> A Freeware anti-spyware tool is Spybot Search and Destroy.
> Better, though, is Spysweeper (it can find about twice as many mal-wares as
> what Spybot can at last count; although both make regular updates to their
> definitions database). I like both for their own reasons so use them both.
>
> Webroot is the maker of Spysweeper (http://www.webroot.com/).
> They also offer a free online sweep of your system (Spy Audit - look in the
> upper right corner of the home page).
>
> It would be well worth your while to try this ASAP as a first step.
>
> Good luck!
>
> "Nato" wrote:
>
> > I beleive someone obtained my accounts "user names" from my xpsp2 box while I
> > was surfing the other day.
> > I have logon auditing turned on and noticed failed attempts to remote in
> > using all the valid user accounts on my machine. I was surfing just prior to
> > the attempts and am therefore guessing this is how they obtained the names.
> >
> > I have both hardware and software (XP) firewall in place with only port 3389
> > open from the outside.
> > I am using the MyIE2 browser with popup and ad blocking enabled. Spybot with
> > Immunize turned on.
> > I was browsing as an admin ;-(
> >
> > Anyone know how this happens and if it can be stopped?
> > Thanks
Anonymous
December 30, 2004 2:54:48 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Are you using the Welcome Screen to login (pictures and names versus the
classic login dialog)?

If so, see if the vents in the following KB article look familiar:
http://support.microsoft.com/default.aspx?scid=kb;en-us;305822.

--
Bob McCoy
* This posting is provided "AS IS" with no warranties, and confers no
rights.
* Please note I cannot respond to email questions. Please use these
newsgroups.


"Nato" <Nato@discussions.microsoft.com> wrote in message
news:7F4F8455-03B7-4101-8120-803C5F3947F1@microsoft.com...
>I beleive someone obtained my accounts "user names" from my xpsp2 box while
>I
> was surfing the other day.
> I have logon auditing turned on and noticed failed attempts to remote in
> using all the valid user accounts on my machine. I was surfing just prior
> to
> the attempts and am therefore guessing this is how they obtained the
> names.
>
> I have both hardware and software (XP) firewall in place with only port
> 3389
> open from the outside.
> I am using the MyIE2 browser with popup and ad blocking enabled. Spybot
> with
> Immunize turned on.
> I was browsing as an admin ;-(
>
> Anyone know how this happens and if it can be stopped?
> Thanks
!