Re: Odd Shares showing up on workstations

From: H C (keydet89at_private)
Date: Tue Jan 21 2003 - 15:13:16 PST

Next message: Tino Didriksen: "Re: mIRC Zombie, port 445"

Previous message: f.johan.beisser: "Re: Openbsd 3.2 wtmp delay and named backdoor"
In reply to: J Jewitt: "Odd Shares showing up on workstations"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

J,

It might be helpful if you checked the processes
running on these systems.  At the least you'd be
likely to find something suspicious to investigate.

Carv

--- J Jewitt <jjewitt2001at_private> wrote:
> 
>   I'm seeing some strange activity, maybe someone
> can
> help.
> 
>   Windows 2000 workstations (the norm here) are
> getting their C and D drives shared, full control to
> everyone.
> 
>   The systems have current antivirus.
> 
>   The odd thing is the sharenames. She share name is
> the drive letter --C or D-- with a computer name of
> a
> DIFFERENT computer in our enterprise appended.
>   The problem spans at least two domains that we
> have
> seen.
> 
>   These systems are all on a private network with a
> well-run firewall ruleset.
>      
>   So if you look at a system showing these
> characteristics, you'll see a list of shares that
> look
> like:
> 
> |-|VICTIM
>           |+|CSYSTEMNAME1
>           |+|CSYSTEMNAME2
>           |+|DSYSTEMNAME1
>           |+|DSYSTEMNAME2
> 
>   So far, it appears it may be an admin script gone
> awry, but no one has admitted to it. So, if anyone
> has
> seen a worm like this please let me know.
> 
>       thanks in advance,
>            J Jewitt
> 
> 
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up
> now.
> http://mailplus.yahoo.com
> 
>
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS
> analyzer service.
> For more information on this free incident handling,
> management 
> and tracking system please see:
> http://aris.securityfocus.com
> 


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Tino Didriksen: "Re: mIRC Zombie, port 445"
Previous message: f.johan.beisser: "Re: Openbsd 3.2 wtmp delay and named backdoor"
In reply to: J Jewitt: "Odd Shares showing up on workstations"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 10:27:05 PST