Okay... Here is a new one for me. Got a call from my dad saying he left his PC on last night connected to his broadband. He went to log in this morning and noticed a new ID in his user list - IWAP_WWW. He immediately deleted is and called me. I had him ensure his critical updates we all applied - they were. I had him ensure his antivirus was up to date - it was (Norton Antivirus 2004). He is running XP Home. I searched the antivirus sites and elsewhere for references. Any idea if there is a new vulnerability that has not been publicly released? Any clues? Regards, Brent
** Reply to message from Brent_OKeeffe@asc.aon.com on Mon, 21 Jun 2004 12:44:50 -0500
Okay... Here is a new one for me. Got a call from my dad saying he left his PC on last night connected to his broadband. He went to log in this morning and noticed a new ID in his user list - IWAP_WWW. He immediately deleted is and called me. I had him ensure his critical updates we all applied - they were. I had him ensure his antivirus was up to date - it was (Norton Antivirus 2004). He is running XP Home.
I searched the antivirus sites and elsewhere for references. Any idea if there is a new vulnerability that has not been publicly released? Any clues?
Regards, Brent
Out of curiosity, was he running any sort of (including the XP one) of firewall software? -- Jeff Shultz A railfan pulls up to a RR crossing hoping that there will be a train.
That almost looks like one of the dummy user accounts that gets added as part of IIS. I see a couple of these on one win2k server that I maintain: "IWAM_<hostname>" (Launch IIS Process Account) "IUSER_<hostname>" (Internet Guest Account) Luke -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Brent_OKeeffe@asc.aon.com Sent: Monday, June 21, 2004 1:45 PM To: nanog@merit.edu Subject: Interesting Occurrence Okay... Here is a new one for me. Got a call from my dad saying he left his PC on last night connected to his broadband. He went to log in this morning and noticed a new ID in his user list - IWAP_WWW. He immediately deleted is and called me. I had him ensure his critical updates we all applied - they were. I had him ensure his antivirus was up to date - it was (Norton Antivirus 2004). He is running XP Home. I searched the antivirus sites and elsewhere for references. Any idea if there is a new vulnerability that has not been publicly released? Any clues? Regards, Brent
you sent html as opposed to an email message. as i do not use a web browser to read mail, i can not read your message. if you want me to read your email, send email. randy
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"> <TITLE>Message</TITLE>
<META content="MSHTML 6.00.2800.1400" name=GENERATOR></HEAD> <BODY> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=613275217-21062004>That almost looks like one of the dummy user accounts that gets added as part of IIS. I see a couple of these on one win2k server that I maintain:</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=613275217-21062004></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=613275217-21062004>"IWAM_<hostname>" (Launch IIS Process Account)</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=613275217-21062004></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=613275217-21062004>"IUSER_<hostname>" (Internet Guest Account)</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=613275217-21062004></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=613275217-21062004>Luke</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=613275217-21062004></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=613275217-21062004></SPAN></FONT> </DIV> <DIV></DIV> <DIV><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] <B>On Behalf Of </B>Brent_OKeeffe@asc.aon.com<BR><B>Sent:</B> Monday, June 21, 2004 1:45 PM<BR><B>To:</B> nanog@merit.edu<BR><B>Subject:</B> Interesting Occurrence<BR><BR></DIV></FONT> <BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px"><BR><FONT face=sans-serif size=2>Okay... Here is a new one for me. Got a call from my dad saying he left his PC on last night connected to his broadband. He went to log in this morning and noticed a new ID in his user list - IWAP_WWW. He immediately deleted is and called me. I had him ensure his critical updates we all applied - they were. I had him ensure his antivirus was up to date - it was (Norton Antivirus 2004). He is running XP Home.</FONT> <BR><BR><FONT face=sans-serif size=2>I searched the antivirus sites and elsewhere for references. Any idea if there is a new vulnerability that has not been publicly released? Any clues?</FONT> <BR><BR><FONT face=sans-serif size=2>Regards,</FONT> <BR><FONT face=sans-serif size=2>Brent</FONT> <BR></BLOCKQUOTE></BODY></HTML>
On Mon, Jun 21, 2004 at 12:44:50PM -0500, Brent_OKeeffe@asc.aon.com wrote:
Okay... Here is a new one for me. Got a call from my dad saying he left his PC on last night connected to his broadband. He went to log in this morning and noticed a new ID in his user list - IWAP_WWW. He immediately deleted is and called me. I had him ensure his critical updates we all applied - they were. I had him ensure his antivirus was up to date - it was (Norton Antivirus 2004). He is running XP Home.
I searched the antivirus sites and elsewhere for references. Any idea if there is a new vulnerability that has not been publicly released? Any clues?
Dare I ask, what part of "North American Network Operators Group" made you think that this could POSSIBLY be on-topic or of interest to anyone here? -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
I'm sure Susan will make sure to revoke his posting rights. -chris On Mon, 21 Jun 2004, Richard A Steenbergen wrote:
On Mon, Jun 21, 2004 at 12:44:50PM -0500, Brent_OKeeffe@asc.aon.com wrote:
Okay... Here is a new one for me. Got a call from my dad saying he left his PC on last night connected to his broadband. He went to log in this morning and noticed a new ID in his user list - IWAP_WWW. He immediately deleted is and called me. I had him ensure his critical updates we all applied - they were. I had him ensure his antivirus was up to date - it was (Norton Antivirus 2004). He is running XP Home.
I searched the antivirus sites and elsewhere for references. Any idea if there is a new vulnerability that has not been publicly released? Any clues?
Dare I ask, what part of "North American Network Operators Group" made you think that this could POSSIBLY be on-topic or of interest to anyone here?
-- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Try Securityfocus' Incidents list. On Mon, Jun 21, 2004 at 12:44:50PM -0500, Brent_OKeeffe@asc.aon.com wrote:
Okay... Here is a new one for me. Got a call from my dad saying he left his PC on last night connected to his broadband. He went to log in this morning and noticed a new ID in his user list - IWAP_WWW. He immediately deleted is and called me. I had him ensure his critical updates we all applied - they were. I had him ensure his antivirus was up to date - it was (Norton Antivirus 2004). He is running XP Home.
I searched the antivirus sites and elsewhere for references. Any idea if there is a new vulnerability that has not been publicly released? Any clues?
Regards, Brent
participants (7)
-
Brent_OKeeffe@asc.aon.com -
Christian Malo -
Jeff Shultz -
John Kinsella -
Luke Starrett -
Randy Bush -
Richard A Steenbergen