A better way to remove those shares is in the registry. The batch file you refer to, many of these so called hackers refer to as secure.bat. The problem with this is that the batch needs to be put in some start up option ( reg run, startup, autoexec, or windows login script. Cause as soon as you reboot the shares are back. If you go to google and do a search for default admin shares you will get the exact reg you need for the o/s you are running. Michael LaSalvia Information Technology Coordinator Jason Foundation for Education (781)444-8858 ext 231 -----Original Message----- From: Michiel Overtoom [mailto:motoomat_private] Sent: Friday, January 03, 2003 1:55 PM To: incidentsat_private Subject: RE: Mysterious "Support" account created on Win2k server Kyle wrote... >port 445 worm/virus/Trojans are the ones spread via SMB over TCP, port 445, >using "net use \\[machine]\ipc$. The Trojans include password dictionaries >for guessing admin ids and passwords. On my servers I remove these kind of builtin account using a batchfile which get executed from the startup folder: @echo off echo Unsharing default shares... net share ipc$ /delete net share admin$ /delete net share c$ /delete net share d$ /delete net share e$ /delete net share f$ /delete net share g$ /delete net share h$ /delete -- Michiel Overtoom - motoomat_private // Computers are Creative Wonder Machines ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jan 06 2003 - 20:59:31 PST