Another possibility is that they have exploited the default "null sessions" vulnerability of a netbios enabled windows machine. They don't have to be a domain user, they just connect as follows.. net use * \\<target>\<any admin share> /user:"" "" admin shares can be... ipc$ c$ <any other drive>$ admin$ They can also connect to any public share with no security set. This way they connect with a blank username and a blank password. A single registry key fixes some of the associated problems. See the following link for a discussion of some of the nitty gritty. http://cert.uni-stuttgart.de/archive/focus-ms/2002/03/msg00088.html Cheers Mike ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Oct 06 2002 - 22:30:24 PDT