 Being Hacked, user rights assignments were changed! |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.  |
 Jan 12 2008, 08:46 PM
Post
#1
|
|
|
New Member  Group: Members Posts: 5 Joined: 12-January 08 Member No.: 183,062  |
Today, I find that the user rights assignments have all been completely changed, to such a degree that it appears a template was inserted. Every single right has this ''name" and many variations of it assigned to it: *S-1-5-21-823518204-1078145449-725345543-1006 I have attached the exported file concerned. How can I undo this and have sole administrative control over this computer again? It is a Windows 2000. Unfortunately, I know enough to know someone's messing with things, but not enough to know how to fix it/catch them. Thank you so much for your help.
Attached File(s)
|
 |
 
|
|
Jan 13 2008, 10:03 PM
Post
#2
|
|
 To INSANITY and BEYOND !! Group: Moderator Posts: 10,943 Joined: 10-September 04 From: NJ USA Member No.: 2,608 |
 hello Shooefly ( dang if I don't love that pie)What type of connection is this Cable etc, wired or wireless... Do you have a firewall and or a router? What are your Antivirus and spyware tools. It does appear to be a hack. That said you Would be best served to keep this PC disconnected from the internet til fixed. Consider any Passwords or financial info stored within to be compromised. I am looking further into this so in the meantime please provide requested info. -------------------- Can you spare some PC cycles to help FIND A CURE .. BC FOLDING TEAM Click me /info..
ThoughtVent a goodplace to discuss.<<>>>Staying Updated Calendar of Updates. For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear.... |
|
|
|
|
Jan 17 2008, 02:23 PM
Post
#3
|
|
|
New Member Group: Members Posts: 5 Joined: 12-January 08 Member No.: 183,062 |
Dear Boopme:
Thank you for your offer to help! I'm only on every few days as I have to fight my kids for internet time. The computer in question had only AVG free, which I uninstalled and downloaded F-secure. It found nothing. I can't even find the Windows firewall on this Windows 2000, sp 4. There has been detailed tracking going on inside the computer logs ever since it was given to my children (after I poked around and set up the logging that is--when it came, event logging was not even turned on). I want to find out who is doing this, but I can't even find Windows firewall in it via control panel or via a search. I will have to install Norton's firewall from Rogers (we have rogers high-speed lite cable); I know you can do Netstat -a or something but I don't quite know how. I am attaching the detailed tracking in the event logs...after I made changes to the user rights/security and services permissions there were a whole lot of failed access attempts...but now I can't find that one, maybe it's mislabelled. Had to break it into parts, as it was to big to upload. I also have the .evt files but I don't know how to break those up and make them small enough. Could try to zip them later I guess. I think I've answered all of your questions now, if not I'll be back. Thanks again for your help! And I like the quote at the bottom of your post, by the way. That's one of my favorite books!! 
Attached File(s)
seclog_J_11_pt_2.rtf ( 5.93k )
Number of downloads: 14
sec_log_Jan_11_2008_am.rtf ( 4.9k )
Number of downloads: 14 |
|
|
|
|
Jan 17 2008, 02:28 PM
Post
#4
|
|
|
New Member Group: Members Posts: 5 Joined: 12-January 08 Member No.: 183,062 |
QUOTE(boopme @ Jan 13 2008, 10:03 PM)  hello Shooefly ( dang if I don't love that pie)What type of connection is this Cable etc, wired or wireless... Do you have a firewall and or a router?... Hello Boopme, I think I replied in the wrong place and it won't notify you so here's a little note....thank you for offering to help. I posted a reply in the thread under your message  |
|
|
|
|
Jan 18 2008, 11:36 AM
Post
#5
|
|
 Forum Regular Group: Members Posts: 260 Joined: 11-June 07 From: Cymru/Wales Member No.: 136,036 |
Download psgetsid from here
Unzip the file and copy to Windows\system32 Open command prompt psgetsid [Your account name here] compare the bit between the S-1-5- and the last group of digits. Reply, stating whether they're the same or not. If they're different, DO NOT POST THE FULL NUMBER, just reply and say that the numbers don't match. -------------------- Tom
Tswsl1989 Duct tape is like the force. It has a light side, a dark side, and it holds the universe together |
|
|
|
|
Feb 13 2008, 01:40 PM
Post
#6
|
|
|
New Member Group: Members Posts: 5 Joined: 12-January 08 Member No.: 183,062 |
Hi Tom,
Thank you for your help. I downloaded and attempted to copy it into Winnt/system 32 and it said there was one there already, modified in 2000. So I tried to use command prompt with the existing one, but it won't work...keeps saying "error querying account: no mapping between account names and security ID's was done." I typed at the command prompt, psgetsid [USER-blahblahblahlettersandnumbersblah\Family] and that didn't work, so I tried just [Family] and that didn't work either...took out the space in front of bracket too, with no luck. 'Family' user account has administrator privileges. Should I copy the downloaded file over the old one and try that? Or should the old one have been good enough? Thanks. 
|
|
|
|
|
Feb 14 2008, 05:03 AM
Post
#7
|
|
|
Forum Regular Group: Members Posts: 260 Joined: 11-June 07 From: Cymru/Wales Member No.: 136,036 |
Sorry, the brackets were just there to show that that text should be replaced.
Try: psgetsid Family and then follow the previous instructions. -------------------- Tom
Tswsl1989 Duct tape is like the force. It has a light side, a dark side, and it holds the universe together |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 9th January 2009 - 05:01 AM |
© 2003-2008 All Rights Reserved Bleeping Computer LLC.