General discussion

Locked

Help Assistant Account

By TechNewsletters ·
Somthing came up last week. What appears to be a hack attempt on all of our domain controllers and some member servers. The hack some how created a ?helpassistant? account and added it to the administrators group of the child domains, and in some local admin groups of member servers. This hack created and added this account, and also removed default groups from the ?access this computer from the network? local security policy except for the helpassistant account that it created.

Can?t tell yet if this intrusion is destructive to data in anyway. So far, we've just noticed account and local security policy changes. Here is a link to a similar incident that was documented less than a month ago-

http://www.experts-exchange.com/Operating_Systems/Win2000/Q_20464255.html
Has anyone expierenced somthing similar to this???

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Help Assistant Account

by MCS-1 In reply to Help Assistant Account

From Microsoft's site: The primary account used to establish a Remote Assistance session. This account is created automatically when you request a Remote Assistance session and has limited access to the computer. The HelpAssistant account is managedby the Remote Desktop Help Session Manager service and will be automatically deleted if no Remote Assistance requests are pending.

Believe me, I was going to say the same thing, but Microsoft said it better :)

Collapse -

Help Assistant Account

by TechNewsletters In reply to Help Assistant Account

none of these are XP machines and it appeared on SERVERS running windows nt4 and windows 2000. Over 700 Servers were affected. Not desktops.
Didnt help

Collapse -

Help Assistant Account

by DKlippert In reply to Help Assistant Account

Here's a MS reference:

http://tinyurl.com/5nvv

Collapse -

Help Assistant Account

by TechNewsletters In reply to Help Assistant Account

none of these are XP/.NET machines and it appeared on SERVERS running windows nt4 and windows 2000. Over 700 Servers were affected. Not desktops.
Didnt help

Collapse -

by TechNewsletters In reply to Help Assistant Account

This question was closed by the author

Back to Security Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums