Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Strange Folder

From: "Nick Jacobsen" <nick () ethicsdesign com>
Date: Sat, 5 Oct 2002 16:29:31 -0700
Two questions:
One: do you have the remote desktop (Terminal Services) enabled?  or any
other remote desktop software? (it is enabled by default on win2k server,
but I am not sure about win2k pro...)
Two: are you a member of a domain?

If yes to both these questions, then most likely someone used RD to log onto
you machine with a domain level username and password...  just my $.02

Nick Jacobsen,
Ethics Design
nick () ethicsdesign com

----- Original Message -----
From: "discipulus" <rootman22 () attbi com>
To: <incidents () securityfocus com>
Sent: Saturday, October 05, 2002 6:34 AM
Subject: Strange Folder





Hi,

The other day I noticed a strange folder had been created
on my W2K Pro machine at work.

The folder had been created in C:\Documents and Settings and
didn't have an account name but four or five odd looking square
block characters instead.  When I right click on the folder and
choose "properties", it displays the name as "rrrrr".  When I click
on the "Security" tab, it shows my account with "Full" access and
somebody else who shouldn't have access to my PC with "Full" access.
I don't know who this person is but they aren't located in our office
and wouldn't have physical access to my PC.

I had previously restricted access to my machine to only myself and
the administrator account.  No other account besides administrator or
my account has access to C:\ or any other drives.

I religiously keep my PC up to date on all security patches.

I had security logging turned on and it shows where this person connected
to my machine via NTLM on the same day the weird folder was created
but it doesn't show anything other than the logon/logoff session was
successful.

Has my account/PC been compromised?

AFAIK, the only way a new folder would be created in C:\Documents and

Settings\

is for "first time" logins.

Can anyone help clear this up for me?

Thanks


--------------------------------------------------------------------------

--

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: