RE: SPM2000$ Rouge Share

From: Robinson, Jonathon (Jonathon.Robinsonat_private)
Date: Tue Mar 18 2003 - 12:35:27 PST

Next message: Christine Kronberg: "RE: CodeRed Observations."

Previous message: Harlan Carvey: "Re: SPM2000$ Rouge Share"
Maybe in reply to: Robinson, Jonathon: "SPM2000$ Rouge Share"
Next in thread: Harlan Carvey: "RE: SPM2000$ Rouge Share"
Reply: Harlan Carvey: "RE: SPM2000$ Rouge Share"
Reply: Jonathan Rickman: "RE: SPM2000$ Rouge Share"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Harlan,

If I go to the management console> shared folders> shares> Right-click and
properties> I get the following:

"This has been shared for administrative purposes. The share permissions and
file security cannot be set."

However, I'm not able to reboot the server at this time as it's currently in
production, so the reoccurrence of the share is simply an assumption.

I'd just like to know why this share exists.

Jonathon



-----Original Message-----
From: Harlan Carvey [mailto:keydet89at_private] 
Sent: Tuesday, March 18, 2003 3:23 PM
To: 'incidentsat_private'
Subject: Re: SPM2000$ Rouge Share

Jon,

> I have two [NT and 2K] servers that have an
> administrative share named
> SPM2000$. 
> This share has full access rights to drive C for the
> Everyone group. 
> I can deactivate it, but since it's an
> administrative share it's going to
> come back at reboot.

Can you please elaborate on this last statement?  Just
b/c a share is a "hidden" share by virtue of the "$"
appended to the end of the name, that doesn't mean
that it's an administrative share that's going to
return on reboot.

Even so, the administrative shares are rather
trivially disabled w/ a simple Registry edit...one can
disable the appearance of C$, D$, etc, quite easily.

Let me ask you this...is this a statement you've made
based on assumption or experience?  By experience, I
mean have you deleted the share, rebooted, and found
it there again?
 
> After "Googling" the string, I found something
> called Service Pack Manager
> 2000, but I don't think that's what created this as
> this software uses the
> default ADMIN$ share.
> Have any of you seen this share anywhere before?

That's a good question.  And I think it's equally
important to ask how it got there?  If you cannot
attribute the share to an authorized installed
application, then perhaps a compromise should be
considered.

Harlan


__________________________________________________
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: Christine Kronberg: "RE: CodeRed Observations."
Previous message: Harlan Carvey: "Re: SPM2000$ Rouge Share"
Maybe in reply to: Robinson, Jonathon: "SPM2000$ Rouge Share"
Next in thread: Harlan Carvey: "RE: SPM2000$ Rouge Share"
Reply: Harlan Carvey: "RE: SPM2000$ Rouge Share"
Reply: Jonathan Rickman: "RE: SPM2000$ Rouge Share"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Mar 19 2003 - 13:00:34 PST