Security Basics mailing list archives
RE: Suspicious network activity advice
From: "Jim Parkhurst" <JPARKHUR () dot state tx us>
Date: Wed, 03 Jan 2007 10:11:36 -0600
For example: "ShareEnum" from SysInternals (now part of Microsoft)? see: http://www.microsoft.com/technet/sysinternals/Networking/ShareEnum.mspx
From the above: "When you run ShareEnum it uses NetBIOS enumeration to scan all the computers within the domains accessible to it, showing file and print shares and their security settings. Because only a domain adminstrator has the ability to view all network resources, ShareEnum is most effective when you run it from a domain adminstrator account."
I ran this and received emails from users across our statewide LAN asking why I had logged in (connected) to their workstation. -Jim
"tima soni" <tima.soni () gmail com> 12/28/2006 13:01 >>>
Hi Stephane, A file search in the network can definitely produce similar results.. Did you use any tool to search on the network? Regards Tima -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Stephane Boulet Sent: Tuesday, December 26, 2006 9:06 AM To: security-basics () securityfocus com Subject: RE: Suspicious network activity advice Do you have Google desktop or MSN desktop.. anything like this? -----Message d'origine----- De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De la part de infinite_uk () hotmail com Envoyé : 22 décembre 2006 06:22 À : security-basics () securityfocus com Objet : Suspicious network activity advice Could anyone offer me some advice or guidance with this please. I am developer and have been suspend from work because of ‘suspicious network activity’. It’s a corporate network (local government) predominantly running a combination Microsoft OS’s across many sites. It seems that many computers on the corporate network have entries in their event logs to say that my system logged onto these machines for any instant. This happens three times of the course of a single day and but second time my computer’s events log shows that each of these computers have logged back into my system. The IT audit section sent the computer away and it came back clean e.g. no viruses and their stance seems to be that they don’t know what has happened but they believe that I have used some kind of scanning software. I’m trying desperately to find another explanation for this, can anyone suggest what might have happened. Could using something like visio or a simple file search across the network produce similar activity? They did seems to think that it was relevant that each computer was contact in alphabetical order not IP order. Any help would be greatly appreciated. --------------------------------------------------------------------------- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect ---------------------------------------------------------------------------
Current thread:
- Re: RE: Suspicious network activity advice levinson_k (Jan 02)
- <Possible follow-ups>
- RE: Suspicious network activity advice Jim Parkhurst (Jan 04)
- Re: Suspicious network activity advice davestout (Jan 04)
- Re: Suspicious network activity advice davestout (Jan 04)
- RE: Suspicious network activity advice Murda Mcloud (Jan 04)
- Re: Re: Suspicious network activity advice levinson_k (Jan 05)
- Monitoring System_DB Admin activities WALI (Jan 08)