Re: Strange Folder

[discipulus <rootman22 () attbi com>]

Thanks Robbert,

I think I need to clarify some things.

I know the name the folder had previously been
the name of the perpetrators login because I see
evidence of this in the "USER.DAT" file located at
the root of this folder.  I have no idea why the
folder didn't retain it's original name.

I need to identify the method used to access my PC.

I need to identify what the perpetrator had access to
when they logged onto my PC.

I need to discern whether or not this access was authorized
or intended for malicious purposes.

In other words, I need to get all my ducks in a row
before making any accusations.

Thanks





On Sun, 2002-10-06 at 06:55, Robbert Helling wrote:
> run cmd, go to the documents and settings folder and do a dir, now you see 
> the full name, try a rename, windows is buggy with ansi chars :)
>
> At 15:34 5-10-2002, you wrote:
>
>
> > Hi,
> >
> > The other day I noticed a strange folder had been created
> > on my W2K Pro machine at work.
> >
> > The folder had been created in C:\Documents and Settings and
> > didn't have an account name but four or five odd looking square
> > block characters instead.  When I right click on the folder and
> > choose "properties", it displays the name as "rrrrr".  When I click
> > on the "Security" tab, it shows my account with "Full" access and
> > somebody else who shouldn't have access to my PC with "Full" access.
> > I don't know who this person is but they aren't located in our office
> > and wouldn't have physical access to my PC.
> >
> > I had previously restricted access to my machine to only myself and
> > the administrator account.  No other account besides administrator or
> > my account has access to C:\ or any other drives.
> >
> > I religiously keep my PC up to date on all security patches.
> >
> > I had security logging turned on and it shows where this person connected
> > to my machine via NTLM on the same day the weird folder was created
> > but it doesn't show anything other than the logon/logoff session was
> > successful.
> >
> > Has my account/PC been compromised?
> >
> > AFAIK, the only way a new folder would be created in C:\Documents and 
> > Settings\
> > is for "first time" logins.
> >
> > Can anyone help clear this up for me?
> >
> > Thanks
> >
> >
> > ----------------------------------------------------------------------------
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management
> > and tracking system please see: http://aris.securityfocus.com
-- 
Maryel brought her bat into Exit once and started whacking people on
the dance floor.  Now everyone's doing it.  It's called grand slam
dancing.
                -- Ransford, Chicago Reader 10/7/83


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com