Bugtraq mailing list archives

Re: Windows Sharing Allows Internet Tracking

From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Fri, 23 Mar 2001 13:07:24 +0300

Hello Preston,

Thursday, March 22, 2001, 2:12:30 AM, you wrote:

PWC> When  logging into a share via NetBIOS, on a NT-to-NT connection,
PWC> the  user  connecting  will have his/her Temporary Internet Files
PWC> transferred  onto  the  server  which they have connected to. You
PWC> would      find      it     in     this     type     of     path:
PWC> c:\winnt\profiles\Administrator\Temporary  Internet Files. If you
PWC> believe that you are victim to an intruder, definitely check this
PWC> folder.  I  have examined many of the NT "rootkit" techniques and
PWC> suites,  with  none  that  include  cleaning  out the transferred
PWC> cache. You may or may not find a definitive profile right away of
PWC> your intruder, but by common investigation, it should lead you to
PWC> something.  You will find most recently visited sites, as well as
PWC> cookies  from  the intruding computer (turn the tables on them =)
PWC> ).

Nonsense. NT never transfers any files then connecting through network
share.  During network logon NT doesn't use profile at all. Files from
user's  profile  (if roaming network profile configured for user) only
transferred  from  server configured by Administrator in "User profile
path"  setting  of  user's  account then user logons _locally_. If you
fond strange files in your Administrator's profile it means someone of
your  _local_  users  used  Administrator's  account  to logon to this
computer  or to any another computer (if roaming profiles is used). Or
may  be you discovered a strange kind of hacker who retrieved password
of your Administrator, created new computer account in your domain and
used Administrator account to logon to his own computer :)))

BTW, in case of roaming profile it's common practice to exclude "Local
Settings"  and  "Temporary Internet Files" from roaming. It's possible
to  use  system  policy  editor  (poledit.exe).  In User Policy choose
"Windows  NT  User Profiles" and check "Exclude directories in roaming
profile".


--
~/3APA3A
Èòàê, ÿ áóäó êðàòîê. (Òâåí)

Current thread:

Windows Sharing Allows Internet Tracking Preston W Chang (Mar 22)
- Re: Windows Sharing Allows Internet Tracking 3APA3A (Mar 23)
- Re: Windows Sharing Allows Internet Tracking Marc Maiffret (Mar 25)
- <Possible follow-ups>
- Windows Sharing Allows Internet Tracking Bill Sobel (Mar 26)
- Re: Windows Sharing Allows Internet Tracking Adam Carter (Mar 26)