RE: Suspicious network activity advice

["Jim Parkhurst" <JPARKHUR () dot state tx us>]

For example: "ShareEnum" from SysInternals (now part of Microsoft)?
see: http://www.microsoft.com/technet/sysinternals/Networking/ShareEnum.mspx 

> From the above: "When you run ShareEnum it uses NetBIOS enumeration to scan all the computers within the domains 
> accessible to it, showing file and print shares and their security settings. Because only a domain adminstrator has 
> the ability to view all network resources, ShareEnum is most effective when you run it from a domain adminstrator 
> account."

I ran this and received emails from users across our statewide LAN asking why I had logged in (connected) to their 
workstation.

-Jim

> > > "tima soni" <tima.soni () gmail com> 12/28/2006 13:01 >>>
Hi Stephane,

A file search in the network can definitely produce similar results..
Did you use any tool to search on the network?


Regards

Tima

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Stephane Boulet
Sent: Tuesday, December 26, 2006 9:06 AM
To: security-basics () securityfocus com 
Subject: RE: Suspicious network activity advice

Do you have Google desktop or MSN desktop.. anything like this?

-----Message d'origine-----
De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De
la part de infinite_uk () hotmail com 
Envoyé : 22 décembre 2006 06:22
À : security-basics () securityfocus com 
Objet : Suspicious network activity advice

Could anyone offer me some advice or guidance with this please. 

I am developer and have been suspend from work because of ‘suspicious
network activity’. It’s a corporate network (local government) predominantly
running a combination Microsoft OS’s across many sites. 

It seems that many computers on the corporate network have entries in their
event logs to say that my system logged onto these machines for any instant.
This happens three times of the course of a single day and but second time
my computer’s events log shows that each of these computers have logged back
into my system. 
The IT audit section sent the computer away and it came back clean e.g. no
viruses and their stance seems to be that they don’t know what has happened
but they believe that I have used some kind of scanning software. 

I’m trying desperately to find another explanation for this, can anyone
suggest what might have happened. Could using something like visio or a
simple file search across the network produce similar activity? 

They did seems to think that it was relevant that each computer was contact
in alphabetical order not IP order. 
Any help would be greatly appreciated. 



---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------