Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SPM2000$ Rouge Share - Information

From: Leon Havin <gstorm () securitybastion com>
Date: 20 Mar 2003 06:21:35 -0000
In-Reply-To: <Pine.LNX.4.33.0303192037260.4118-100000 () abacus xcorps net>

I would like to shed some light on this issue. First of all the correct 
name of the share is SPM2000C$. It is indeed created by Service Pack 
Manager 2000 (SPM2000) by Gravity Storm Software. SPM2000 creates this for 
its own purposes for pushing security patches and Service Packs to the 
remote machine and for the purposes of verification of patch installation 
(accessing individual file versions and checksums). This share is created 
in a very temporarily way and after SPM2000 is done it cleans the share 
up. Share is indeed administrative. You can remove it by using for example 
Windows Explorer, but in addition you have to remove the entry in the 
registry, otherwise the share comes back after reboot. Somewhere during 
the summer 2002 one of the versions of Service Pack Manager 2000 had the 
share cleanup functionality broken and was failing to cleanup the share 
properly. When it was reported, we immediately provided the fix. In 
addition, we also provided the functionality in SPM2000 that allows you to 
remove ANY type of share easily.

Leon Havin,
Gravity Storm Software



On Tue, 18 Mar 2003, Robinson, Jonathon wrote:


Harlan,

If I go to the management console> shared folders> shares> Right-click 

and

properties> I get the following:

"This has been shared for administrative purposes. The share 

permissions and

file security cannot be set."

However, I'm not able to reboot the server at this time as it's 

currently in

production, so the reoccurrence of the share is simply an assumption.

I'd just like to know why this share exists.


The software package mentioned earlier is produced by Gravity Storm
Software http://securitybastion.com. I have used this software on NT4 with
great success. It did not exhibit this behavior. I can't say that is does
not exhibit this behavior by default on Win 2000 as I have not tested it.
However, I suspect that it could have created the share for it's own use.
Most likely to facilitate the distribution of service packs and hotfixes.
The version I tested prompted you to do this on your own, perhaps newer
versions do not. The maintainer can be contacted with the addresses on the
web site.

--
Jonathan Rickman
X Corps Security
http://www.xcorps.net




--------------------------------------------------------------------------

--


<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> 

http://www.securityfocus.com/stillsecure </A>






----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>
Previous By Date Next
Previous By Thread Next

Current thread: