Re: SPM2000$ Rouge Share - Information
From: Leon Havin (gstorm@securitybastion.com)
Date: 03/20/03
- Previous message: Jonathan Rickman: "RE: SPM2000$ Rouge Share"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 20 Mar 2003 06:21:35 -0000 From: Leon Havin <gstorm@securitybastion.com> To: incidents@securityfocus.com('binary' encoding is not supported, stored as-is) In-Reply-To: <Pine.LNX.4.33.0303192037260.4118-100000@abacus.xcorps.net>
I would like to shed some light on this issue. First of all the correct
name of the share is SPM2000C$. It is indeed created by Service Pack
Manager 2000 (SPM2000) by Gravity Storm Software. SPM2000 creates this for
its own purposes for pushing security patches and Service Packs to the
remote machine and for the purposes of verification of patch installation
(accessing individual file versions and checksums). This share is created
in a very temporarily way and after SPM2000 is done it cleans the share
up. Share is indeed administrative. You can remove it by using for example
Windows Explorer, but in addition you have to remove the entry in the
registry, otherwise the share comes back after reboot. Somewhere during
the summer 2002 one of the versions of Service Pack Manager 2000 had the
share cleanup functionality broken and was failing to cleanup the share
properly. When it was reported, we immediately provided the fix. In
addition, we also provided the functionality in SPM2000 that allows you to
remove ANY type of share easily.
Leon Havin,
Gravity Storm Software
>
>On Tue, 18 Mar 2003, Robinson, Jonathon wrote:
>
>> Harlan,
>>
>> If I go to the management console> shared folders> shares> Right-click
and
>> properties> I get the following:
>>
>> "This has been shared for administrative purposes. The share
permissions and
>> file security cannot be set."
>>
>> However, I'm not able to reboot the server at this time as it's
currently in
>> production, so the reoccurrence of the share is simply an assumption.
>>
>> I'd just like to know why this share exists.
>
>The software package mentioned earlier is produced by Gravity Storm
>Software http://securitybastion.com. I have used this software on NT4 with
>great success. It did not exhibit this behavior. I can't say that is does
>not exhibit this behavior by default on Win 2000 as I have not tested it.
>However, I suspect that it could have created the share for it's own use.
>Most likely to facilitate the distribution of service packs and hotfixes.
>The version I tested prompted you to do this on your own, perhaps newer
>versions do not. The maintainer can be contacted with the addresses on the
>web site.
>
>--
>Jonathan Rickman
>X Corps Security
>http://www.xcorps.net
>
>
>
>
>--------------------------------------------------------------------------
-- > ><Pre>Lose another weekend managing your IDS? >Take back your personal time. >15-day free trial of StillSecure Border Guard.</Pre> ><A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A> > > > ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
- Previous message: Jonathan Rickman: "RE: SPM2000$ Rouge Share"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
