Re: Strange Folder

[discipulus <rootman22 () attbi com>]

On Sat, 2002-10-05 at 18:18, discipulus wrote:
> On Sat, 2002-10-05 at 17:29, Nick Jacobsen wrote:
> > Two questions:
> > One: do you have the remote desktop (Terminal Services) enabled?  or any
> > other remote desktop software?
 
 I'm not sure but I can find out.

> > (it is enabled by default on win2k server,
> > but I am not sure about win2k pro...)
> > Two: are you a member of a domain?

 Yes

> > If yes to both these questions, then most likely someone used RD to log onto
> > you machine with a domain level username and password...  just my $.02
Is it likely this person busted my account password and then signed
onto my machine using my account?  I saw in my security logs where
he connected ten times using NTLM authentication and I read about an
old exploit over at Microsoft's technet site talking about how a hole
in NTLM could allow an attacker to bypass domain authentication, where
a login gets disabled after 3 incorrect attempts, and use a brute force
password cracker to bust the password in the credentials file.  It said
the attacker would only have access to the host machine and not other
domain resources.
 
I downloaded the patch to fix this but it said the patch was for systems
on SP1 and I'm on SP3.  I haven't installed the patch for fear it will
hose my system but I have changed my password to a real strong one.
 
Thanks
> > Nick Jacobsen,
> > Ethics Design
> > nick () ethicsdesign com
> >
> > ----- Original Message -----
> > From: "discipulus" <rootman22 () attbi com>
> > To: <incidents () securityfocus com>
> > Sent: Saturday, October 05, 2002 6:34 AM
> > Subject: Strange Folder
> >
> >
> > > Hi,
> > >
> > > The other day I noticed a strange folder had been created
> > > on my W2K Pro machine at work.
> > >
> > > The folder had been created in C:\Documents and Settings and
> > > didn't have an account name but four or five odd looking square
> > > block characters instead.  When I right click on the folder and
> > > choose "properties", it displays the name as "rrrrr".  When I click
> > > on the "Security" tab, it shows my account with "Full" access and
> > > somebody else who shouldn't have access to my PC with "Full" access.
> > > I don't know who this person is but they aren't located in our office
> > > and wouldn't have physical access to my PC.
> > >
> > > I had previously restricted access to my machine to only myself and
> > > the administrator account.  No other account besides administrator or
> > > my account has access to C:\ or any other drives.
> > >
> > > I religiously keep my PC up to date on all security patches.
> > >
> > > I had security logging turned on and it shows where this person connected
> > > to my machine via NTLM on the same day the weird folder was created
> > > but it doesn't show anything other than the logon/logoff session was
> > > successful.
> > >
> > > Has my account/PC been compromised?
> > >
> > > AFAIK, the only way a new folder would be created in C:\Documents and
> > Settings\
> > > is for "first time" logins.
> > >
> > > Can anyone help clear this up for me?
> > >
> > > Thanks
> > >
> > >
> > > --------------------------------------------------------------------------
> > --
> > > This list is provided by the SecurityFocus ARIS analyzer service.
> > > For more information on this free incident handling, management
> > > and tracking system please see: http://aris.securityfocus.com
> -- 
> Job Placement, n.:
>       Telling your boss what he can do with your job.
-- 
While having never invented a sin, I'm trying to perfect several.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com