March 2nd, 2005, 06:07 AM
windows privilege escalation?
i was in the computer lab at my school today and i noticed that a few of the computers had not been logged off, so i went to log them off and noticed that several of them had a different background. when i looked into it further, i noticed that all of the accounts with different backgrounds were regular student accounts and that they had full admin privileges, which they definitelyshouldnt have had. i think it's safe to assume that they ran some sort of program that did it for them, i'd just like to find out what it was and how it worked, i'm guessing it was some popular windows rootkit or something, can somebody maybe give me their opinion on what they think it was and what i should do about it?(i've got all their account names ). the compromised boxes were running windows xp professional SP1 and i'm pretty sure all of their security measures were done with poledit.
March 2nd, 2005, 09:33 AM
How do you know they had 'full admin' privs?
Experience is something you don't get until just after you need it.
March 2nd, 2005, 03:39 PM
tell your administrator, definatly, and maybe do a google search for privilage rootkits or something like that.
I know your type, you think "I'll just get me a costume, rip off the neighborhood kids". Next thing you know, you've got a jet shaped like a skull with lasers on the front!
March 2nd, 2005, 06:43 PM
What it could have been is the may have been just logged in as the local computer administrator so they could install some new programs or whatever but were not logged in as the domain admin.
Ben Franklin said it best. \"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.\"
March 2nd, 2005, 07:38 PM
I would say, check out this thread:
Jareds411 had a similar problem as you, and the recommendation was to alert your admin anonymously.
Alright Brain, you don\'t like me, and I don\'t like you. But let\'s just do this, and I can get back to killing you with beer.
-- Homer S.
March 2nd, 2005, 08:04 PM
Ok, Honestly if I were still in school (its been a few millenium since I was) I would be tempted to keep this under my hat, and see what I could do with the "admin" accounts.
But most likely that won't get you anywhere you wanna go.
I personally wouldn't worry too much about just straight out informing the admin of what you observed. In most cases being straight forward about something like this, in a tactful way will be respected by any admin with half a brain. If I was your admin, I would want to see, and would be interested in knowing how my security was bypassed, not shoot the messanger...
Of course you can try the email or letter to him/her without ever giving up who you are... I just dont see the point.
~ I'm NOT insane! I've just been in a bad mood for the last 30 years! ~ Somepeople are like Slinky's: Not good for anything, but the thought of pushing them down the stairs brings a smile to your face!
March 2nd, 2005, 10:03 PM
March 2nd, 2005, 10:41 PM
I highly doubt that any student got admin privledges and then forgot to log out. Some schools have students that are good with networks and computers help out the school system admin for voluntary credits, because that's a requirment to get into alot of colleges. So the system admin gives them some more priveldges on their accounts to make helping out easier. That's just what goes on in my school anyway, I'm guessing the same goes on in yours and many others...
March 2nd, 2005, 11:52 PM
well, i'm positive that the student accounts aren't supposed to have those privileges. they arent't like administrator privs like the school network admins would have, they just have the privileges to do whatever they want on that machine locally. they can read/write anywhere, run regedit, change the background, install things, etc. i know that there isnt any way that they got these privs legitimagely either.
March 2nd, 2005, 11:59 PM
well, i'm positive that the student accounts aren't supposed to have those privileges. they arent't like administrator privs like the school network admins would have, they just have the privileges to do whatever they want on that machine locally. they can read/write anywhere, run regedit, change the background, install things. i know there isnt any way that they would have gotten these privs legitimately. i dunno what to search on google, i've tried windows rootkits and several other things, i expect that there's some well known program that they used for it, but maybe not... how else could they have done it?