Re: What is: \scanned by\redstar\Parent Directory\for\-=SKBOCA=-
From: FTP Man (FTP_at_Man.com)
Date: Sat, 12 Jul 2003 12:36:44 -0400
> > When I see this in my NT4 security log, what does it mean? (see
> > below).
> > -----------------------
> > Event Viewer
> > Security log
> > Object Access
> > User: System
> > Object Open:
> > Object Server: Security
> > Object Type: File
> > Object Name:
> > D:\RECYCLER\S-1-5-21-2093158801-1590382355-17523355-500\DD28\.
> > tagged\~\scanned by\redstar\Parent Directory\for\-=SKBOCA=-
There are more entries like this BTW
> Looks to me like, you dropped your firewall and had a ftp service
> installed on your system
How does something like this actually get installed?
Does NAV check for stuff like this?
Any sofware I can run that will detect this stuff - and kill it ?
> have a look at you runnin process`s & check for any ftp
> servers runnin(probly serv-u or raiden), or remote service tools
> like firedemon or service manager.
> it`s also possible that the service`s have been cheekily renamed
> as windows processes like winlogon or svchost, look for multiples
> of these runnin then its deducting which are rquired by windows
> to run and which maybe be part of a hack pack,
I have noticed that something called "winlogon" always comes up as
being shared when I restart the computer (which doesn't happen that
often) and I always stop sharing it immediately after a re-start.
> you never said what os you run, but i`d bet my last coin it`s win2k
I said above that it's NT4 (NT4 Server, with SP6).