Seeing Null Share Connection in Eventviewer
- From: "Will" <westes-usc@xxxxxxxxxxxxxx>
- Date: Tue, 13 Feb 2007 01:27:07 -0800
Having been hacked by a NetBIOS trojan on some unsecured Windows 2000
machines lately, I decided to role play the intruder and see how the events
show up in the event viewer. One thing that really perplexes me is why
does a null connection to IPC$ not show up in event viewer as Anonymous
Logon? I was issuing the command against my own system:
net use * \\<ip.here>\ipc$ "" /user:""
The only way I could get an anonymous logon message to show up in the
Windows 2000 event viewer was to follow a successful null connection with an
actual mount of a file system. If I mounted c$ as administrator, only at
that point do I then see the anonymous logon from the prior null connection.
It's not real comforting to know that by the time I see the anonymous
connection in the eventviewer I'm already hacked. Nor is it too good to
know that someone might be trying to access the system by a null connection
on an unsecured host, and that activity is not showing up.
Is the above behavior the way this is supposed to work? Is there anything
I can do to get the IPC$ null connection mounts to show right away in
eventviewer?
--
Will
.
- Prev by Date: Re: Difficult password situation
- Next by Date: Re: Audit file/folder access
- Previous by thread: Monitor File Access
- Next by thread: When Should Anonymous Logons Show on Windows 200x?
- Index(es):
Relevant Pages
|
|
