RE: SPM2000$ Rouge Share

From: Robinson, Jonathon (Jonathon.Robinsonat_private)
Date: Tue Mar 18 2003 - 11:57:14 PST

Next message: Rob Shein: "RE: CodeRed Observations. ##"

Previous message: Andrew Bates: "Re: CodeRed Observations. ##"
Maybe in reply to: Robinson, Jonathon: "SPM2000$ Rouge Share"
Next in thread: Harlan Carvey: "Re: SPM2000$ Rouge Share"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If I go to the management console> shared folders> shares> Right-click and
properties> I get the following:

This has been shared for administrative purposes. The share permissions and
file security cannot be set.


Thanks,
Jonathon

-----Original Message-----
From: Dan Bartley [mailto:bartleydat_private] 
Sent: Tuesday, March 18, 2003 2:54 PM
To: Robinson, Jonathon
Subject: RE: SPM2000$ Rouge Share

What makes you feel it is an administrative share? The $ only means
hidden, not necessarily administrative.

Best Regards, 

Dan Bartley


-----Original Message-----
From: Robinson, Jonathon [mailto:Jonathon.Robinsonat_private] 
Sent: Tuesday, March 18, 2003 14:27
To: 'incidentsat_private'

I have two [NT and 2K] servers that have an administrative share named
SPM2000$. 
This share has full access rights to drive C for the Everyone group. 
I can deactivate it, but since it's an administrative share it's going
to
come back at reboot.

After "Googling" the string, I found something called Service Pack
Manager
2000, but I don't think that's what created this as this software uses
the
default ADMIN$ share.
Have any of you seen this share anywhere before?
 

Thanks,

Jonathon W. Robinson
Network Security Specialist

This information is intended only for the person or entity to which it
is
addressed and may contain confidential or privileged material. Any
review,
retransmission, dissemination, or other use of, or taking of any action
in
reliance upon, this information by persons or entities other than the
intended recipient is prohibited. If you received this in error, please
contact the sender and delete the material from any computer.


------------------------------------------------------------------------
----

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure">
http://www.securityfocus.com/stillsecure </A>




----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: Rob Shein: "RE: CodeRed Observations. ##"
Previous message: Andrew Bates: "Re: CodeRed Observations. ##"
Maybe in reply to: Robinson, Jonathon: "SPM2000$ Rouge Share"
Next in thread: Harlan Carvey: "Re: SPM2000$ Rouge Share"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Mar 19 2003 - 12:55:52 PST