NC_S_ISLCK Group Added

From: Ed Shirley (thewthrman@yahoo.com)
Date: 10/25/01 

Message-ID: <20011025142133.6335.qmail@web12907.mail.yahoo.com>
Date: Thu, 25 Oct 2001 07:21:33 -0700 (PDT)
From: Ed Shirley <thewthrman@yahoo.com>
Subject: NC_S_ISLCK Group Added
To: incidents@securityfocus.com

Maybe this has happened to some of you before. My
primary vulnerability-assessment tool is an NT laptop
that I have loaded mucho freeware and other
questionable software onto. I have hardened it pretty
well, I think, because it often will sit on a dirty-e
connection for hours at a time. Since the others on
our team are "curious", even leaving the thing on our
production network puts the machine at risk for being
h4x0red.

Occasionally, I go through it and make sure that no
one installed back orifice or netcat or whatever on it
and look at the group membership of user accounts, and
also run a bunch of tools against it, just to make
sure that it is still water-tight and soap proof.
Sometimes I find some filenames I don't recognize or
other suspicious indications and search Technet or
SecurityFocus or just plain Dogpile to see what turns
up.

This morning, while doing my audit, I saw something
that I don't recognize. I am reluctant to expose my
ignorance, but machine is important to me and I need
to know what this might indicate.

I was checking the user accounts and making sure that
"guest" was still disabled and not an administrator
(sometimes you don't want to delguest), and noticed
that there was a group that I hadn't sen before. It
is called NC_S_ISLCK. there are no members and no
description. Has anyone seen this group name before
and is it indicative of a particular hack?

Feel free to respond of-list.

Ed

__________________________________________________
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com