Re: Strange Folder

From: Nick Jacobsen (nickat_private)
Date: Sat Oct 05 2002 - 16:29:31 PDT

Next message: discipulus: "Re: Strange Folder"

Previous message: Rob Keown: "RE: maybe a simple problem"
In reply to: discipulus: "Strange Folder"
Next in thread: discipulus: "Re: Strange Folder"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Two questions:
One: do you have the remote desktop (Terminal Services) enabled?  or any
other remote desktop software? (it is enabled by default on win2k server,
but I am not sure about win2k pro...)
Two: are you a member of a domain?

If yes to both these questions, then most likely someone used RD to log onto
you machine with a domain level username and password...  just my $.02

Nick Jacobsen,
Ethics Design
nickat_private

----- Original Message -----
From: "discipulus" <rootman22at_private>
To: <incidentsat_private>
Sent: Saturday, October 05, 2002 6:34 AM
Subject: Strange Folder


>
>
> Hi,
>
> The other day I noticed a strange folder had been created
> on my W2K Pro machine at work.
>
> The folder had been created in C:\Documents and Settings and
> didn't have an account name but four or five odd looking square
> block characters instead.  When I right click on the folder and
> choose "properties", it displays the name as "rrrrr".  When I click
> on the "Security" tab, it shows my account with "Full" access and
> somebody else who shouldn't have access to my PC with "Full" access.
> I don't know who this person is but they aren't located in our office
> and wouldn't have physical access to my PC.
>
> I had previously restricted access to my machine to only myself and
> the administrator account.  No other account besides administrator or
> my account has access to C:\ or any other drives.
>
> I religiously keep my PC up to date on all security patches.
>
> I had security logging turned on and it shows where this person connected
> to my machine via NTLM on the same day the weird folder was created
> but it doesn't show anything other than the logon/logoff session was
> successful.
>
> Has my account/PC been compromised?
>
> AFAIK, the only way a new folder would be created in C:\Documents and
Settings\
> is for "first time" logins.
>
> Can anyone help clear this up for me?
>
> Thanks
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: discipulus: "Re: Strange Folder"
Previous message: Rob Keown: "RE: maybe a simple problem"
In reply to: discipulus: "Strange Folder"
Next in thread: discipulus: "Re: Strange Folder"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Oct 06 2002 - 13:54:51 PDT