NC_S_ISLCK?

From: Shirley, Ed (thewthrmanat_private)
Date: Wed Jan 01 2003 - 08:30:30 PST

Next message: H C: "RE: Abnormally high Sub-Seven attack rate increase"

Previous message: Duncan Hill: "Re: MS IIS 5 server is hacked leaving undeletable folders and files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I was hoping that this would be approved for the list
as I get many emails from people who searched google
and only hit on the question.  Below is the answer
that I was sending out to people who asked me
personally.

Over the past 14 months, I received quite a few
responses to my post on the security focus incidents
list regarding the addition of the NC_S_ISLCK group to
my NT laptop.  The vast majority of these posts were
from people like me, who have it and have no idea
where it came from.  I did get a few replies that
offered clues to its origin and I wanted to share them
with you who, like me were/are clueless.

The NC_S_SLCK group on my box had no members.  Some
report that it is recreated if renamed or deleted.

This was not limited to NT.  One of you has XP and
several have Win2k.  I have finally updated my toolkit
and am running Win2k with no appearance of the group
thus far.  I looked at all the machines in our lab and
none of them have the group except for 2 machines that
have silent runner installed on them.  This was the
full blown version and not just the collector (none of
the collector-only machines had this group).  I also
had installed a rapidly-expiring eval of SR on my NT
laptop.  It's my bet that is where I got the group
from, but you never know.  Silent Runner installs a
couple services that took me a while to track down as
well as Hummingbird Networking.

Now, some stated that the group can come from other
places, possibly.  You can check your affected boxes
to see if anything correlates.

Rational Development Suite
Crystal Reports v. 8 professional
Sygate Personal Firewall
Transtext
Netscape Avatar
Ratheon Silent Runner

Sorry it took me a year to get back to you.  I
was waiting for a black helicopter story that never
came.

So, now, when people do a google search for NC_S_ISLCK
, they'll get a hit on this instead of my post with no
replies from last October.

Ed Shirley

--- kevin.mcphailat_private wrote:
> I saw your post to incidents.org on finding this
> group on your system. Did
> you ever find out what it was. It is on my system as
> well and I want to know
> how it got there.
> 
> 

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: H C: "RE: Abnormally high Sub-Seven attack rate increase"
Previous message: Duncan Hill: "Re: MS IIS 5 server is hacked leaving undeletable folders and files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 02 2003 - 18:52:22 PST