Security Incidents mailing list archives
Re: Strange Folder
From: discipulus <rootman22 () attbi com>
Date: 07 Oct 2002 05:44:49 -0600
Thanks Mike, I don't think this would work on my computer because I had previously disabled all the admin shares. I also tweaked the registry so that shares would not become enabled after reboot. Also, I had MS File and Printer Sharing turned off, so my computer wasn't visible in "Network Neighborhood" or "My Network Places". Thanks for the link, I read through it. Near the bottom, it says: "To disable anonymous connections altogether, block access to tcp139/445 (IPSec port filters or Internet Connection Firewall), or uncheck "File and Print Sharing for Microsoft Networks" from the network interface in question (via the properties tab of the network connection)." I'm unsure as to whether or not ports 139/445 are blocked but I'll find out today. If they are enabled, I'll block them. Thanks On Sun, 2002-10-06 at 15:45, Midkaemia wrote:
Another possibility is that they have exploited the default "null sessions" vulnerability of a netbios enabled windows machine. They don't have to be a domain user, they just connect as follows.. net use * \\<target>\<any admin share> /user:"" "" admin shares can be... ipc$ c$ <any other drive>$ admin$ They can also connect to any public share with no security set. This way they connect with a blank username and a blank password. A single registry key fixes some of the associated problems. See the following link for a discussion of some of the nitty gritty. http://cert.uni-stuttgart.de/archive/focus-ms/2002/03/msg00088.html Cheers Mike
-- "The Computer made me do it." ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Strange Folder discipulus (Oct 05)
- Re: Strange Folder Nick Jacobsen (Oct 06)
- Message not available
- Re: Strange Folder discipulus (Oct 06)
- Re: Strange Folder Midkaemia (Oct 06)
- Re: Strange Folder discipulus (Oct 07)
- Message not available
- Re: Strange Folder Nick Jacobsen (Oct 06)
- <Possible follow-ups>
- Re: Strange Folder discipulus (Oct 06)
- Re: Strange Folder Neil Dickey (Oct 06)
- Re: Strange Folder discipulus (Oct 06)
- Forensics CD (was: Re: Strange Folder Meritt James (Oct 07)
- Re: Forensics CD (was: Re: Strange Folder Chet Uber (Oct 08)
- Re: Forensics CD (was: Re: Strange Folder Ryan McBride (Oct 08)