Subj : Bugbear.A virus notes
To   : Mike Ruskai
From : Mike Luther
Date : Thu Oct 17 2002 12:38 am

Mike ..

 MR> The user management screen has a set of radio buttons for making the 
 MR> password optional or required.  It defaults to optional for the GUEST 
 MR> account.  It defaults to required for all new accounts.

 MR> I'm not sure if there are any command-line use management programs

 MR> Basically, one should leave the GUEST account as is, and create new ones 
 MR> for password-protected access to resources.

There is such a button combination, including the 'expire password' check box 
in the Shared Resources setup folder.  However in this case, when the two 
attacks managed to get in, this was firmly set so the the GUEST required a 
password.  It was not optional at all.

And in this case it only had USER rights checked.

I haven't got my notes in front of me, but from reading the Usegroups, I know 
that there is a utility tool for command line use which will, I think I recall 
it right, create a new user with ADMIN rights from the get go at command prompt 
level.  Further I think I recall that you can also copy over the NET.ACC 
account from the install directory into the appropriate place in the operations 
game.  That will restore the standard OPERATOR - PASSWORD and GUEST with no 
password game to get you back in if you can't remember this and that.

But doing this on a bust in Port 136/7 - 139 romp?  If that happened, my 
customized access profiles would then be gone too and they hadn't changed at 
all in re what had been set, despite the escapades.  No new goodes shown there 
at all from what was there earlier.  Nor did the LAN register anyone logged in 
when it was happening ...

As we noted in the discussion, OS/2 doesn't have any three strikes and you are 
out or such password pranging block.  You can mash on it en mass trying to 
break in.  And, in both cases, I wasn't around when it started.  But if there 
wasn't anyone logged in when it was happeing in the logout, yet it was 
happening, something had to be grossly wrong.  And we never found out what it 
was that was bad.

As I think I recall all the discourse that went on at the time, NIMDA.A was 
seeking the use of boxes with NETBIOS over TCP/IP which had a GUEST account 
with no password, or an ADMIN account with no password, or a box on which the 
pest could establish adminitrative rights and create shares on the fly via this 
or that attack mode for what it wanted.

I even thought about the possibility that even though you might have had a 
GUEST with no password, and created shared resources for it with read/write 
capability, you could have then gotten rid of GUEST in LAN/UPM.  But you might 
have still left GUEST defined in the shared resources folder and so on I think 
you are citing here.  I can vizualize how that might get you into hot water 
with NB over TCP/IP and far places.  However that wasn't the case here either 
and the install admin plus password was gone too.


--> Sleep well; OS/2's still awake! ;)

Mike @ 1:117/3001

--- Maximus/2 3.01
 * Origin: Ziplog Public Port (1:117/3001)

.