HELP, Hacked with machine account

G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

I was hacked by a person usering a machine$ account and nt authority. How can I view the system accounts and how can I disable the NT Authority. Looks like hacker has a script running to change all my settings after I logon. How can I tell what is being loaded and in what order

Thank for you all your help
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

First run a virus scan and trojan scan [SwatIt is a free download] program with
current definitions to see if they can find anything malicious being sure to use
latest definition files from what ever product you use. You can't disable
NTAuthority.

http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym
-- try here also.

There are free tools from SysInternals if you want to explore what has happened
including Autoruns, TCPView, and Process Explorer. Autoruns will list startup
programs from many possible places on your computer and TCPView will show what
application/process is listening on a port while Process Explorer will give more
detailed information on the process. Booting into safe mode may be worth a try to
bypass problem to make repairs.

A big concern would be how did this happen and how can you prevent this from
happening again. A properly configured firewall, up to date virus protection that
also scans all email, keeping current on critical updates, and using a good password
are places to start. You can look in Local Group Policy via gpedit.msc to see if any
startup or logon scripts are configured there. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;322241 --- Group
Policyscripts.


"Blueman (HACKED OFF)" <Blueman (HACKED OFF)@discussions.microsoft.com> wrote in
message news:5D87D54D-F8E4-4C59-84A0-92890263446A@microsoft.com...
> I was hacked by a person usering a machine$ account and nt authority. How can I
view the system accounts and how can I disable the NT Authority. Looks like hacker
has a script running to change all my settings after I logon. How can I tell what is
being loaded and in what order
>
> Thank for you all your help
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Thanks for the help Steve. The odd thing is I cant tell when this hacker is logged on. I have tried all PSTOOLS and Auditing. He is like a ghost. Nothing to track him. I found his machine connected once with Hyena. Running task manager shows no connected users. I stopped all local policys and and still denied access. I cant find anyone logon scripts. What can run before policys.

"Steven L Umbach" wrote:

> First run a virus scan and trojan scan [SwatIt is a free download] program with
> current definitions to see if they can find anything malicious being sure to use
> latest definition files from what ever product you use. You can't disable
> NTAuthority.
>
> http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym
> -- try here also.
>
> There are free tools from SysInternals if you want to explore what has happened
> including Autoruns, TCPView, and Process Explorer. Autoruns will list startup
> programs from many possible places on your computer and TCPView will show what
> application/process is listening on a port while Process Explorer will give more
> detailed information on the process. Booting into safe mode may be worth a try to
> bypass problem to make repairs.
>
> A big concern would be how did this happen and how can you prevent this from
> happening again. A properly configured firewall, up to date virus protection that
> also scans all email, keeping current on critical updates, and using a good password
> are places to start. You can look in Local Group Policy via gpedit.msc to see if any
> startup or logon scripts are configured there. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;322241 --- Group
> Policyscripts.
>
>
> "Blueman (HACKED OFF)" <Blueman (HACKED OFF)@discussions.microsoft.com> wrote in
> message news:5D87D54D-F8E4-4C59-84A0-92890263446A@microsoft.com...
> > I was hacked by a person usering a machine$ account and nt authority. How can I
> view the system accounts and how can I disable the NT Authority. Looks like hacker
> has a script running to change all my settings after I logon. How can I tell what is
> being loaded and in what order
> >
> > Thank for you all your help
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Nothing unusual shows up as far as ports listening with TCPView, or startup processes
with Autoruns? Services load before anyone logs on, are there any unusual services
listed? Also check add/remove programs to see if anything unusual shows. Are you
using a firewall? Why do you think it is NT Authority? Anonymous connections in the
security log are normal and may not indicate hacking. Check the members of your
administrators group to make sure it is correct and change your password, though if a
keyboard logger is installed that may not help. The following services should be
disabled if you do not use them - telnet, ftp, and www and file and print sharing if
you do not share files with a user on a network or use it for remote management via
Computer Management. It may help to install a personal firewall like Sygate [free] on
your computer and use it for logging and to alert you when a process wants to access
the internet. --- Steve


"Blueman (HACKED OFF)" <BluemanHACKEDOFF@discussions.microsoft.com> wrote in message
news:65CE1A8C-1E1D-433A-AC7A-7C39DCF07A6C@microsoft.com...
> Thanks for the help Steve. The odd thing is I cant tell when this hacker is logged
on. I have tried all PSTOOLS and Auditing. He is like a ghost. Nothing to track him.
I found his machine connected once with Hyena. Running task manager shows no
connected users. I stopped all local policys and and still denied access. I cant
find anyone logon scripts. What can run before policys.
>
> "Steven L Umbach" wrote:
>
> > First run a virus scan and trojan scan [SwatIt is a free download] program with
> > current definitions to see if they can find anything malicious being sure to use
> > latest definition files from what ever product you use. You can't disable
> > NTAuthority.
> >
> >
http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym
> > -- try here also.
> >
> > There are free tools from SysInternals if you want to explore what has happened
> > including Autoruns, TCPView, and Process Explorer. Autoruns will list startup
> > programs from many possible places on your computer and TCPView will show what
> > application/process is listening on a port while Process Explorer will give more
> > detailed information on the process. Booting into safe mode may be worth a try to
> > bypass problem to make repairs.
> >
> > A big concern would be how did this happen and how can you prevent this from
> > happening again. A properly configured firewall, up to date virus protection that
> > also scans all email, keeping current on critical updates, and using a good
password
> > are places to start. You can look in Local Group Policy via gpedit.msc to see if
any
> > startup or logon scripts are configured there. --- Steve
> >
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;322241 --- Group
> > Policyscripts.
> >
> >
> > "Blueman (HACKED OFF)" <Blueman (HACKED OFF)@discussions.microsoft.com> wrote in
> > message news:5D87D54D-F8E4-4C59-84A0-92890263446A@microsoft.com...
> > > I was hacked by a person usering a machine$ account and nt authority. How can
I
> > view the system accounts and how can I disable the NT Authority. Looks like
hacker
> > has a script running to change all my settings after I logon. How can I tell
what is
> > being loaded and in what order
> > >
> > > Thank for you all your help
> >
> >
> >
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

It is useful to find out what you did wrong to prevent being hacked again,
but ultimately you may want to format and reinstall Windows as an easier and
quicker and more secure solution. Not having a firewall, anti-virus and/or
Microsoft patches are the first suspects. I would be using a firewall like
www.sygate.com or www.kerio.com or www.zonealarm.com or sniffer like
Ethereal to watch network traffic to see where and how this is coming in.
Be sure you know how to fully secure the system afterwards or else
formatting is a waste of time.

http://securityadmin.info/faq.asp#hacked
http://securityadmin.info/faq.asp#re-secure
http://securityadmin.info/faq.asp#harden


"Blueman (HACKED OFF)" <Blueman (HACKED OFF)@discussions.microsoft.com>
wrote in message news:5D87D54D-F8E4-4C59-84A0-92890263446A@microsoft.com...
> I was hacked by a person usering a machine$ account and nt authority. How
can I view the system accounts and how can I disable the NT Authority.
Looks like hacker has a script running to change all my settings after I
logon. How can I tell what is being loaded and in what order
>
> Thank for you all your help