Re: SPM2000$ Rouge Share - Information

From: Leon Havin (gstormat_private)
Date: Wed Mar 19 2003 - 22:21:35 PST

  • Next message: Matt Hornsby: "Nimda.E/unknown memory resident, internet-aware processes"

    
     ('binary' encoding is not supported, stored as-is)
    In-Reply-To: <Pine.LNX.4.33.0303192037260.4118-100000at_private>
    
    I would like to shed some light on this issue. First of all the correct 
    name of the share is SPM2000C$. It is indeed created by Service Pack 
    Manager 2000 (SPM2000) by Gravity Storm Software. SPM2000 creates this for 
    its own purposes for pushing security patches and Service Packs to the 
    remote machine and for the purposes of verification of patch installation 
    (accessing individual file versions and checksums). This share is created 
    in a very temporarily way and after SPM2000 is done it cleans the share 
    up. Share is indeed administrative. You can remove it by using for example 
    Windows Explorer, but in addition you have to remove the entry in the 
    registry, otherwise the share comes back after reboot. Somewhere during 
    the summer 2002 one of the versions of Service Pack Manager 2000 had the 
    share cleanup functionality broken and was failing to cleanup the share 
    properly. When it was reported, we immediately provided the fix. In 
    addition, we also provided the functionality in SPM2000 that allows you to 
    remove ANY type of share easily.
    
    Leon Havin,
    Gravity Storm Software
    
    >
    >On Tue, 18 Mar 2003, Robinson, Jonathon wrote:
    >
    >> Harlan,
    >>
    >> If I go to the management console> shared folders> shares> Right-click 
    and
    >> properties> I get the following:
    >>
    >> "This has been shared for administrative purposes. The share 
    permissions and
    >> file security cannot be set."
    >>
    >> However, I'm not able to reboot the server at this time as it's 
    currently in
    >> production, so the reoccurrence of the share is simply an assumption.
    >>
    >> I'd just like to know why this share exists.
    >
    >The software package mentioned earlier is produced by Gravity Storm
    >Software http://securitybastion.com. I have used this software on NT4 with
    >great success. It did not exhibit this behavior. I can't say that is does
    >not exhibit this behavior by default on Win 2000 as I have not tested it.
    >However, I suspect that it could have created the share for it's own use.
    >Most likely to facilitate the distribution of service packs and hotfixes.
    >The version I tested prompted you to do this on your own, perhaps newer
    >versions do not. The maintainer can be contacted with the addresses on the
    >web site.
    >
    >--
    >Jonathan Rickman
    >X Corps Security
    >http://www.xcorps.net
    >
    >
    >
    >
    >--------------------------------------------------------------------------
    --
    >
    ><Pre>Lose another weekend managing your IDS?
    >Take back your personal time.
    >15-day free trial of StillSecure Border Guard.</Pre>
    ><A href="http://www.securityfocus.com/stillsecure"> 
    http://www.securityfocus.com/stillsecure </A>
    >
    >
    >
    
    ----------------------------------------------------------------------------
    
    <Pre>Lose another weekend managing your IDS?
    Take back your personal time.
    15-day free trial of StillSecure Border Guard.</Pre>
    <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
    



    This archive was generated by hypermail 2b30 : Thu Mar 20 2003 - 07:37:17 PST