[19844] in bugtraq
Windows Sharing Allows Internet Tracking
daemon@ATHENA.MIT.EDU (Bill Sobel)
Mon Mar 26 12:32:26 2001
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Message-ID: <MOBBLMDLOJLNFKCLBLFEKECIHMAB.bsobel@symantec.com>
Date: Mon, 26 Mar 2001 00:33:35 -0800
Reply-To: Bill Sobel <bsobel@SYMANTEC.COM>
From: Bill Sobel <bsobel@SYMANTEC.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
> I could be wrong about the following so let me know if you know for a
> _fact_ that I am.
Your not wrong. My internet cache is about 1/2 a gig, sure would hurt
mapping drives waiting for that to 'transfer over'.
> No. The only reason you came to this conclusion is because it "looks" like
> this is what is happening.
Correct, they folder contains a desktop.ini file which invokes a name space
extension. The name space extension *always* browses your local Temporary
Internet Files regardless of the directory it's started in.
From the original post the author stated:
> common investigation, it should lead you to something. You
> will find most recently visited sites, as well as cookies
> from the intruding computer (turn the tables on them =) ).
All I can get from this is the original poster shared a drive and then
noticed that his temp files 'appeared' to now be on the server. I can see
how one could initially get confused browsing 'your files' now apparently
residing there.
I guess Greg won't be updating the rootkit code to nuke the TIF files
anytime soon :)
Bill Sobel
Symantec
