Bugtraq mailing list archives
Re: Windows Sharing Allows Internet Tracking
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Fri, 23 Mar 2001 13:07:24 +0300
Hello Preston, Thursday, March 22, 2001, 2:12:30 AM, you wrote: PWC> When logging into a share via NetBIOS, on a NT-to-NT connection, PWC> the user connecting will have his/her Temporary Internet Files PWC> transferred onto the server which they have connected to. You PWC> would find it in this type of path: PWC> c:\winnt\profiles\Administrator\Temporary Internet Files. If you PWC> believe that you are victim to an intruder, definitely check this PWC> folder. I have examined many of the NT "rootkit" techniques and PWC> suites, with none that include cleaning out the transferred PWC> cache. You may or may not find a definitive profile right away of PWC> your intruder, but by common investigation, it should lead you to PWC> something. You will find most recently visited sites, as well as PWC> cookies from the intruding computer (turn the tables on them =) PWC> ). Nonsense. NT never transfers any files then connecting through network share. During network logon NT doesn't use profile at all. Files from user's profile (if roaming network profile configured for user) only transferred from server configured by Administrator in "User profile path" setting of user's account then user logons _locally_. If you fond strange files in your Administrator's profile it means someone of your _local_ users used Administrator's account to logon to this computer or to any another computer (if roaming profiles is used). Or may be you discovered a strange kind of hacker who retrieved password of your Administrator, created new computer account in your domain and used Administrator account to logon to his own computer :))) BTW, in case of roaming profile it's common practice to exclude "Local Settings" and "Temporary Internet Files" from roaming. It's possible to use system policy editor (poledit.exe). In User Policy choose "Windows NT User Profiles" and check "Exclude directories in roaming profile". -- ~/3APA3A Èòàê, ÿ áóäó êðàòîê. (Òâåí)
Current thread:
- Windows Sharing Allows Internet Tracking Preston W Chang (Mar 22)
- Re: Windows Sharing Allows Internet Tracking 3APA3A (Mar 23)
- Re: Windows Sharing Allows Internet Tracking Marc Maiffret (Mar 25)
- <Possible follow-ups>
- Windows Sharing Allows Internet Tracking Bill Sobel (Mar 26)
- Re: Windows Sharing Allows Internet Tracking Adam Carter (Mar 26)