Subj : Bugbear.A virus notes
To   : Mike Ruskai
From : Mike Luther
Date : Thu Oct 17 2002 12:38 am

Mike ..

MR> The user management screen has a set of radio buttons for making the
MR> password optional or required.  It defaults to optional for the GUEST
MR> account.  It defaults to required for all new accounts.

MR> I'm not sure if there are any command-line use management programs

MR> Basically, one should leave the GUEST account as is, and create new ones
MR> for password-protected access to resources.

There is such a button combination, including the 'expire password' check box
in the Shared Resources setup folder.  However in this case, when the two
attacks managed to get in, this was firmly set so the the GUEST required a
password.  It was not optional at all.

And in this case it only had USER rights checked.

I haven't got my notes in front of me, but from reading the Usegroups, I know
that there is a utility tool for command line use which will, I think I recall
it right, create a new user with ADMIN rights from the get go at command prompt
level.  Further I think I recall that you can also copy over the NET.ACC
account from the install directory into the appropriate place in the operations
game.  That will restore the standard OPERATOR - PASSWORD and GUEST with no
password game to get you back in if you can't remember this and that.

But doing this on a bust in Port 136/7 - 139 romp?  If that happened, my
customized access profiles would then be gone too and they hadn't changed at
all in re what had been set, despite the escapades.  No new goodes shown there
at all from what was there earlier.  Nor did the LAN register anyone logged in
when it was happening ...

As we noted in the discussion, OS/2 doesn't have any three strikes and you are
out or such password pranging block.  You can mash on it en mass trying to
break in.  And, in both cases, I wasn't around when it started.  But if there
wasn't anyone logged in when it was happeing in the logout, yet it was
happening, something had to be grossly wrong.  And we never found out what it
was that was bad.

As I think I recall all the discourse that went on at the time, NIMDA.A was
seeking the use of boxes with NETBIOS over TCP/IP which had a GUEST account
with no password, or an ADMIN account with no password, or a box on which the
pest could establish adminitrative rights and create shares on the fly via this
or that attack mode for what it wanted.

I even thought about the possibility that even though you might have had a
GUEST with no password, and created shared resources for it with read/write
capability, you could have then gotten rid of GUEST in LAN/UPM.  But you might
have still left GUEST defined in the shared resources folder and so on I think
you are citing here.  I can vizualize how that might get you into hot water
with NB over TCP/IP and far places.  However that wasn't the case here either
and the install admin plus password was gone too.


--> Sleep well; OS/2's still awake! ;)

Mike @ 1:117/3001

--- Maximus/2 3.01
* Origin: Ziplog Public Port (1:117/3001)

You are viewing proxied material from vert.synchro.net. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.