Link to home
Start Free TrialLog in
Avatar of gormly
gormly

asked on

HelpAssistant user on win2K

The other day, I all of a sudden lost access to my network drives, about 6 machines were affected.

It said I did not had the required logon type.

well after panicking (we just got over a bad virus)
I went through everything, and everything looked normal, until I looked at the local security policy in the setting for allow network access.

there was a new "user" there   HelpAssistant
this user was present on all the affected machines and the Administrator (which is the same on all machines) was not
so I removed the helpassistant and put back the administrator and all was ok.

I also deleted the user from the users snap in.

My question is this:

My systems (12 plus 2 web servers) all have ONE user activated, that is Administrator, no other accounts are available.  All systems only use administrative shares c$ etc...

how was someone able to create a new user, (remotely, outside the office) and set my local policy and is there a way to prevent this in the future?

no one in the office could or would have done this.. its mostly 50-60 year old ladies who can barely press the enter key when prompted.
Avatar of CrazyOne
CrazyOne
Flag of United States of America image

Only thing I can find about HelpAssistant has to do with XP

http://support.microsoft.com/default.aspx?scid=kb;en-us;323647
Avatar of gormly
gormly

ASKER

yes, I know about that.. that is valid for XP
but not for Win2k

it is obvoiusly a hack attempt.
I am looking for an answer along "hacker"  and attack lines
ASKER CERTIFIED SOLUTION
Avatar of Maxnort
Maxnort

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of gormly

ASKER

Max

thanks fo the reply, you'll get the points if no one else gives me a "cause" in a reasonable amount of time.

I was really looking for a "how they got in"

But I like the suggestion of leaving it in disabled.
Avatar of gormly

ASKER

Not the explaination I needed but gave an excellent idea.
Gormly,

A weak administrator password, or any weak password for any user that is in the administrators group, can result in the compromise you have seen.  If you are auditing for failed and successful logons, you will probably see the attack follow this pattern...

1. Several anonymous attempts (most likely successful unless you have hacked the registry to restrict anonymous) to enumerate your groups and users.

2. From this list, the administrators group members are systematically used in a dictionary attack.  Password after password is tried.  I have seen over 8000 attempts in as little as 10 minutes.  Since the user "administrator" can't be locked out, the attack can go on and on unhindered...

If you password is weak and guessed, you will actually see a successful login by whatever rouge machine is making the attempts after the stream of failed logon attempts.  It will then log in as the administrator several times, and maybe punt your machine off to another machine, making the changes you see plus who knows what other changes.

Your best bet is to blow it away and restore from a recent backup.  I am not sure what gets created besides the HelpAssistant user but it is better safe than sorry if other back doors were loaded also.

Good luck

amra_
you can block remote assistance by group policy within the organisation also it's possible to block it on your firewall by blocking port 3389 (IIRC).
here's the link
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/server/ra_server_overview.asp