[19812] in bugtraq
Re: Windows Sharing Allows Internet Tracking
daemon@ATHENA.MIT.EDU (3APA3A)
Fri Mar 23 16:18:56 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Message-ID: <12165488227.20010323130724@SECURITY.NNOV.RU>
Date: Fri, 23 Mar 2001 13:07:24 +0300
Reply-To: 3APA3A <3APA3A@SECURITY.NNOV.RU>
From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
X-To: Preston W Chang <presto@REGIONONLINE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <web-8203873@post2.rnci.com>
Hello Preston,
Thursday, March 22, 2001, 2:12:30 AM, you wrote:
PWC> When logging into a share via NetBIOS, on a NT-to-NT connection,
PWC> the user connecting will have his/her Temporary Internet Files
PWC> transferred onto the server which they have connected to. You
PWC> would find it in this type of path:
PWC> c:\winnt\profiles\Administrator\Temporary Internet Files. If you
PWC> believe that you are victim to an intruder, definitely check this
PWC> folder. I have examined many of the NT "rootkit" techniques and
PWC> suites, with none that include cleaning out the transferred
PWC> cache. You may or may not find a definitive profile right away of
PWC> your intruder, but by common investigation, it should lead you to
PWC> something. You will find most recently visited sites, as well as
PWC> cookies from the intruding computer (turn the tables on them =)
PWC> ).
Nonsense. NT never transfers any files then connecting through network
share. During network logon NT doesn't use profile at all. Files from
user's profile (if roaming network profile configured for user) only
transferred from server configured by Administrator in "User profile
path" setting of user's account then user logons _locally_. If you
fond strange files in your Administrator's profile it means someone of
your _local_ users used Administrator's account to logon to this
computer or to any another computer (if roaming profiles is used). Or
may be you discovered a strange kind of hacker who retrieved password
of your Administrator, created new computer account in your domain and
used Administrator account to logon to his own computer :)))
BTW, in case of roaming profile it's common practice to exclude "Local
Settings" and "Temporary Internet Files" from roaming. It's possible
to use system policy editor (poledit.exe). In User Policy choose
"Windows NT User Profiles" and check "Exclude directories in roaming
profile".
--
~/3APA3A
Итак, я буду краток. (Твен)
