|
Posted by Will on February 13, 2007, 4:27 am
Please log in for more thread options
Having been hacked by a NetBIOS trojan on some unsecured Windows 2000
machines lately, I decided to role play the intruder and see how the events
show up in the event viewer. One thing that really perplexes me is why
does a null connection to IPC$ not show up in event viewer as Anonymous
Logon? I was issuing the command against my own system:
net use * \<ip.here>\ipc$ "" /user:""
The only way I could get an anonymous logon message to show up in the
Windows 2000 event viewer was to follow a successful null connection with an
actual mount of a file system. If I mounted c$ as administrator, only at
that point do I then see the anonymous logon from the prior null connection.
It's not real comforting to know that by the time I see the anonymous
connection in the eventviewer I'm already hacked. Nor is it too good to
know that someone might be trying to access the system by a null connection
on an unsecured host, and that activity is not showing up.
Is the above behavior the way this is supposed to work? Is there anything
I can do to get the IPC$ null connection mounts to show right away in
eventviewer?
--
Will
| 
XML Sitemap