Security Incidents mailing list archives
Re: Strange Folder
From: "Nick Jacobsen" <nick () ethicsdesign com>
Date: Sat, 5 Oct 2002 16:29:31 -0700
Two questions: One: do you have the remote desktop (Terminal Services) enabled? or any other remote desktop software? (it is enabled by default on win2k server, but I am not sure about win2k pro...) Two: are you a member of a domain? If yes to both these questions, then most likely someone used RD to log onto you machine with a domain level username and password... just my $.02 Nick Jacobsen, Ethics Design nick () ethicsdesign com ----- Original Message ----- From: "discipulus" <rootman22 () attbi com> To: <incidents () securityfocus com> Sent: Saturday, October 05, 2002 6:34 AM Subject: Strange Folder
Hi, The other day I noticed a strange folder had been created on my W2K Pro machine at work. The folder had been created in C:\Documents and Settings and didn't have an account name but four or five odd looking square block characters instead. When I right click on the folder and choose "properties", it displays the name as "rrrrr". When I click on the "Security" tab, it shows my account with "Full" access and somebody else who shouldn't have access to my PC with "Full" access. I don't know who this person is but they aren't located in our office and wouldn't have physical access to my PC. I had previously restricted access to my machine to only myself and the administrator account. No other account besides administrator or my account has access to C:\ or any other drives. I religiously keep my PC up to date on all security patches. I had security logging turned on and it shows where this person connected to my machine via NTLM on the same day the weird folder was created but it doesn't show anything other than the logon/logoff session was successful. Has my account/PC been compromised? AFAIK, the only way a new folder would be created in C:\Documents and
Settings\
is for "first time" logins. Can anyone help clear this up for me? Thanks --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Strange Folder discipulus (Oct 05)
- Re: Strange Folder Nick Jacobsen (Oct 06)
- Message not available
- Re: Strange Folder discipulus (Oct 06)
- Re: Strange Folder Midkaemia (Oct 06)
- Re: Strange Folder discipulus (Oct 07)
- Message not available
- Re: Strange Folder Nick Jacobsen (Oct 06)
- <Possible follow-ups>
- Re: Strange Folder discipulus (Oct 06)
- Re: Strange Folder Neil Dickey (Oct 06)
- Re: Strange Folder discipulus (Oct 06)
- Forensics CD (was: Re: Strange Folder Meritt James (Oct 07)
- Re: Forensics CD (was: Re: Strange Folder Chet Uber (Oct 08)