Security Incidents mailing list archives
RE: SPM2000$ Rouge Share
From: "Robinson, Jonathon" <Jonathon.Robinson () sykes com>
Date: Tue, 18 Mar 2003 15:35:27 -0500
Harlan, If I go to the management console> shared folders> shares> Right-click and properties> I get the following: "This has been shared for administrative purposes. The share permissions and file security cannot be set." However, I'm not able to reboot the server at this time as it's currently in production, so the reoccurrence of the share is simply an assumption. I'd just like to know why this share exists. Jonathon -----Original Message----- From: Harlan Carvey [mailto:keydet89 () yahoo com] Sent: Tuesday, March 18, 2003 3:23 PM To: 'incidents () securityfocus com' Subject: Re: SPM2000$ Rouge Share Jon,
I have two [NT and 2K] servers that have an administrative share named SPM2000$. This share has full access rights to drive C for the Everyone group. I can deactivate it, but since it's an administrative share it's going to come back at reboot.
Can you please elaborate on this last statement? Just b/c a share is a "hidden" share by virtue of the "$" appended to the end of the name, that doesn't mean that it's an administrative share that's going to return on reboot. Even so, the administrative shares are rather trivially disabled w/ a simple Registry edit...one can disable the appearance of C$, D$, etc, quite easily. Let me ask you this...is this a statement you've made based on assumption or experience? By experience, I mean have you deleted the share, rebooted, and found it there again?
After "Googling" the string, I found something called Service Pack Manager 2000, but I don't think that's what created this as this software uses the default ADMIN$ share. Have any of you seen this share anywhere before?
That's a good question. And I think it's equally important to ask how it got there? If you cannot attribute the share to an authorized installed application, then perhaps a compromise should be considered. Harlan __________________________________________________ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
Current thread:
- SPM2000$ Rouge Share Robinson, Jonathon (Mar 18)
- Re: SPM2000$ Rouge Share Harlan Carvey (Mar 19)
- <Possible follow-ups>
- RE: SPM2000$ Rouge Share Robinson, Jonathon (Mar 19)
- RE: SPM2000$ Rouge Share Robinson, Jonathon (Mar 19)
- RE: SPM2000$ Rouge Share Harlan Carvey (Mar 19)
- RE: SPM2000$ Rouge Share Jonathan Rickman (Mar 19)