Security Incidents mailing list archives
Re: Strange Folder
From: discipulus <rootman22 () attbi com>
Date: 06 Oct 2002 08:04:20 -0600
Thanks Robbert, I think I need to clarify some things. I know the name the folder had previously been the name of the perpetrators login because I see evidence of this in the "USER.DAT" file located at the root of this folder. I have no idea why the folder didn't retain it's original name. I need to identify the method used to access my PC. I need to identify what the perpetrator had access to when they logged onto my PC. I need to discern whether or not this access was authorized or intended for malicious purposes. In other words, I need to get all my ducks in a row before making any accusations. Thanks On Sun, 2002-10-06 at 06:55, Robbert Helling wrote:
run cmd, go to the documents and settings folder and do a dir, now you see the full name, try a rename, windows is buggy with ansi chars :) At 15:34 5-10-2002, you wrote:Hi, The other day I noticed a strange folder had been created on my W2K Pro machine at work. The folder had been created in C:\Documents and Settings and didn't have an account name but four or five odd looking square block characters instead. When I right click on the folder and choose "properties", it displays the name as "rrrrr". When I click on the "Security" tab, it shows my account with "Full" access and somebody else who shouldn't have access to my PC with "Full" access. I don't know who this person is but they aren't located in our office and wouldn't have physical access to my PC. I had previously restricted access to my machine to only myself and the administrator account. No other account besides administrator or my account has access to C:\ or any other drives. I religiously keep my PC up to date on all security patches. I had security logging turned on and it shows where this person connected to my machine via NTLM on the same day the weird folder was created but it doesn't show anything other than the logon/logoff session was successful. Has my account/PC been compromised? AFAIK, the only way a new folder would be created in C:\Documents and Settings\ is for "first time" logins. Can anyone help clear this up for me? Thanks ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
-- Maryel brought her bat into Exit once and started whacking people on the dance floor. Now everyone's doing it. It's called grand slam dancing. -- Ransford, Chicago Reader 10/7/83 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Strange Folder discipulus (Oct 05)
- Re: Strange Folder Nick Jacobsen (Oct 06)
- Message not available
- Re: Strange Folder discipulus (Oct 06)
- Re: Strange Folder Midkaemia (Oct 06)
- Re: Strange Folder discipulus (Oct 07)
- Message not available
- Re: Strange Folder Nick Jacobsen (Oct 06)
- <Possible follow-ups>
- Re: Strange Folder discipulus (Oct 06)
- Re: Strange Folder Neil Dickey (Oct 06)
- Re: Strange Folder discipulus (Oct 06)
- Forensics CD (was: Re: Strange Folder Meritt James (Oct 07)
- Re: Forensics CD (was: Re: Strange Folder Chet Uber (Oct 08)
- Re: Forensics CD (was: Re: Strange Folder Ryan McBride (Oct 08)