On Sat, 2002-10-05 at 18:18, discipulus wrote: > On Sat, 2002-10-05 at 17:29, Nick Jacobsen wrote: > > Two questions: > > One: do you have the remote desktop (Terminal Services) enabled? or any > > other remote desktop software? I'm not sure but I can find out. > > > (it is enabled by default on win2k server, > > but I am not sure about win2k pro...) > > Two: are you a member of a domain? > Yes > > > > > If yes to both these questions, then most likely someone used RD to log onto > > you machine with a domain level username and password... just my $.02 > Is it likely this person busted my account password and then signed onto my machine using my account? I saw in my security logs where he connected ten times using NTLM authentication and I read about an old exploit over at Microsoft's technet site talking about how a hole in NTLM could allow an attacker to bypass domain authentication, where a login gets disabled after 3 incorrect attempts, and use a brute force password cracker to bust the password in the credentials file. It said the attacker would only have access to the host machine and not other domain resources. I downloaded the patch to fix this but it said the patch was for systems on SP1 and I'm on SP3. I haven't installed the patch for fear it will hose my system but I have changed my password to a real strong one. Thanks > > > > > Nick Jacobsen, > > Ethics Design > > nickat_private > > > > ----- Original Message ----- > > From: "discipulus" <rootman22at_private> > > To: <incidentsat_private> > > Sent: Saturday, October 05, 2002 6:34 AM > > Subject: Strange Folder > > > > > > > > > > > > > Hi, > > > > > > The other day I noticed a strange folder had been created > > > on my W2K Pro machine at work. > > > > > > The folder had been created in C:\Documents and Settings and > > > didn't have an account name but four or five odd looking square > > > block characters instead. When I right click on the folder and > > > choose "properties", it displays the name as "rrrrr". When I click > > > on the "Security" tab, it shows my account with "Full" access and > > > somebody else who shouldn't have access to my PC with "Full" access. > > > I don't know who this person is but they aren't located in our office > > > and wouldn't have physical access to my PC. > > > > > > I had previously restricted access to my machine to only myself and > > > the administrator account. No other account besides administrator or > > > my account has access to C:\ or any other drives. > > > > > > I religiously keep my PC up to date on all security patches. > > > > > > I had security logging turned on and it shows where this person connected > > > to my machine via NTLM on the same day the weird folder was created > > > but it doesn't show anything other than the logon/logoff session was > > > successful. > > > > > > Has my account/PC been compromised? > > > > > > AFAIK, the only way a new folder would be created in C:\Documents and > > Settings\ > > > is for "first time" logins. > > > > > > Can anyone help clear this up for me? > > > > > > Thanks > > > > > > > > > -------------------------------------------------------------------------- > > -- > > > This list is provided by the SecurityFocus ARIS analyzer service. > > > For more information on this free incident handling, management > > > and tracking system please see: http://aris.securityfocus.com > > > > > > -- > Job Placement, n.: > Telling your boss what he can do with your job. -- While having never invented a sin, I'm trying to perfect several. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Oct 06 2002 - 14:02:02 PDT