Re: SPM2000$ Rouge Share

[Harlan Carvey <keydet89 () yahoo com>]

Jon,

> I have two [NT and 2K] servers that have an
> administrative share named
> SPM2000$. 
> This share has full access rights to drive C for the
> Everyone group. 
> I can deactivate it, but since it's an
> administrative share it's going to
> come back at reboot.

Can you please elaborate on this last statement?  Just
b/c a share is a "hidden" share by virtue of the "$"
appended to the end of the name, that doesn't mean
that it's an administrative share that's going to
return on reboot.

Even so, the administrative shares are rather
trivially disabled w/ a simple Registry edit...one can
disable the appearance of C$, D$, etc, quite easily.

Let me ask you this...is this a statement you've made
based on assumption or experience?  By experience, I
mean have you deleted the share, rebooted, and found
it there again?
 
> After "Googling" the string, I found something
> called Service Pack Manager
> 2000, but I don't think that's what created this as
> this software uses the
> default ADMIN$ share.
> Have any of you seen this share anywhere before?

That's a good question.  And I think it's equally
important to ask how it got there?  If you cannot
attribute the share to an authorized installed
application, then perhaps a compromise should be
considered.

Harlan


__________________________________________________
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>