|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Strange NT Log Entries
- To: NTBUGTRAQ
LISTSERV.NTBUGTRAQ.COM - Subject: Re: Strange NT Log Entries
- From: David LeBlanc <dleblancMINDSPRING.COM>
- Date: Mon, 17 Aug 1998 09:38:37 -0400
- Comments: To: Luke Kenneth Casson Leighton <lkclSWITCHBOARD.NET>
- In-Reply-To: <199808171251.IAA06641camel16.mindspring.com>
- Reply-To: David LeBlanc <dleblancMINDSPRING.COM>
- Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
There's a little bit of a misunderstanding going on here - I'll try to straighten it up - At 05:32 PM 8/16/98 +0100, Luke Kenneth Casson Leighton wrote: >On Fri, 14 Aug 1998, Adam G Goode wrote: >> In order to run perfmon on a against a remote machine you must first >> authenticate yourself to the remote machine (typically done by mapping to a >> share). This is the only authentication that takes place. Having used >> this functionality extensively and never encountering the described >> behavior (as well as retesting prior to this post) the logon/logoff's you >> are experiencing are not due to perfmon but probably associated to someone >> trying to break into your system. >if you map to a share, an open SMB connection is maintained (SMBsesssetupX >followed by SMBtconX to "Share_name"), and doing an SMBtconX to IPC$ or >any other share will not require the password to be entered. >this would imply, iff there is no attack going on, that the >remote administrator running Perfmon has not opened any shares on the >target server, like you have. First of all, a connection to another machine implies a connection to IPC$. An attempt to open the registry (or any other resource) will implicitly open a connection to IPC$. You can verify this by running RegConnectRegistry() on a remote host, then before you close the handle, run "net use", and you'll see a connection to IPC$. Secondly, here's how a performance monitor session is going to work: 1) The HKLM\Software\Microsoft\Windows NT\CurrentVersion\Perflib key has to be accessed. As a side-note, setting auditing on this key, then running perfmon is going to flood your logs. If you wish to control access to performance counters, setting permissions on this key will do the trick. 2) You also have to be able to open HKEY_PERFORMANCE_DATA. Note that the CurrentVersion key is on the allowed paths, but HKEY_PERFORMANCE_DATA is not. If someone were running perfmon once a minute without permission to log in, it would cause the behavior. David LeBlanc dleblanc
- Prev by Date: Re: Strange NT Log Entries
- Next by Date: Administrivia #17290: New place for NTBugtraq discussions!
- Prev by thread: Re: Strange NT Log Entries
- Next by thread: obtain domain users password via asp server variable
- Index(es):