Re: SPM2000$ Rouge Share

From: Harlan Carvey (keydet89@yahoo.com)
Date: 03/18/03

Next message: Christine Kronberg: "RE: CodeRed Observations."

Previous message: Robinson, Jonathon: "RE: SPM2000$ Rouge Share"
In reply to: Robinson, Jonathon: "SPM2000$ Rouge Share"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 18 Mar 2003 12:22:48 -0800 (PST)
From: Harlan Carvey <keydet89@yahoo.com>
To: "'incidents@securityfocus.com'" <incidents@securityfocus.com>

Jon,

> I have two [NT and 2K] servers that have an
> administrative share named
> SPM2000$.
> This share has full access rights to drive C for the
> Everyone group.
> I can deactivate it, but since it's an
> administrative share it's going to
> come back at reboot.

Can you please elaborate on this last statement? Just
b/c a share is a "hidden" share by virtue of the "$"
appended to the end of the name, that doesn't mean
that it's an administrative share that's going to
return on reboot.

Even so, the administrative shares are rather
trivially disabled w/ a simple Registry edit...one can
disable the appearance of C$, D$, etc, quite easily.

Let me ask you this...is this a statement you've made
based on assumption or experience? By experience, I
mean have you deleted the share, rebooted, and found
it there again?

> After "Googling" the string, I found something
> called Service Pack Manager
> 2000, but I don't think that's what created this as
> this software uses the
> default ADMIN$ share.
> Have any of you seen this share anywhere before?

That's a good question. And I think it's equally
important to ask how it got there? If you cannot
attribute the share to an authorized installed
application, then perhaps a compromise should be
considered.

Harlan

__________________________________________________
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: Christine Kronberg: "RE: CodeRed Observations."

Previous message: Robinson, Jonathon: "RE: SPM2000$ Rouge Share"
In reply to: Robinson, Jonathon: "SPM2000$ Rouge Share"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Solution for V6 Trouble
... - temporary deactivate the GPO that enforces automatic updates on client ... - Make a backup copy of all files and folders under ...
(microsoft.public.windowsupdate)
SUMMARY: Help: "boot -s" not working after getting "Error opening PAM libraries"
... stop-A, boot cdrom -s; ... reboot. ... Do you Yahoo!? ... Calendar - Free online calendar with sync to Outlook. ...
(SunManagers)
Re: Signal 6s with ruby apps such as portupgrade and pkg
... You need to rebuild anything ... last reboot. ... Do you Yahoo!? ... To unsubscribe, ...
(freebsd-current)
RE: reboot problems
... installing FreeBSD again (some other ugly problem that ... reboot, it's also not working! ... > Find out what made the Top Yahoo! ...
(freebsd-questions)
[HPADM] Re: not able to login
... Even reboot would solve the problem as /tmp will get ... If no commands are working, ... >> passwd file is fine. ... > Read only the mail you want - Yahoo! ...
(HP-UX-Admin)