OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Los, Ralph (rlosEnvestNet.com)
Date: Fri Aug 17 2001 - 11:30:00 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hey all,

            Better yet...is there a way that anyone out here knows of to DISABLE
    that great feature of Exploder...err...explorer.exe opening up every file in
    a directory to check for an icon? I'd like to know if anyone's heard of a
    way to do this, as I'd be very interested.

    Ralph M. Los
    Asst. Vice-President, Internet Systems and Security
    EnvestNet Advisory Corp.
    rlosenvestnet.com
    (312) 827-3945 (direct)
    (312) 296-9003 (wireless w/voicemail)
    * If you haven't been hacked, you don't know where your vulnerabilities lie*

    -----Original Message-----
    From: Bartel, Matt [mailto:Matt.Bartelqg.com]
    Sent: Thursday, August 16, 2001 4:53 PM
    To: 'Jeff Rosowski'
    Cc: 'focus-mssecurityfocus.com'
    Subject: RE: NTFS Access times

    Does anyone have specifics on what actually changes modified dates on files,
    etc. in NTFS?

    Thank you!
    -Matt

    -----Original Message-----
    From: Jeff Rosowski [mailto:rosowskiactiveiq.com]
    Sent: Thursday, August 16, 2001 11:31 AM
    To: fhrcs.urz.tu-dresden.de; FOCUS-MSsecurityfocus.com
    Subject: RE: NTFS Access times

    That's one of the things I never liked about windows explorer.. When you
    enter into a directory it opens every single file and tries to read an icon
    for it. Go into a directory with thousands of files in it and you're
    machine is out to lunch for awhile. And unfortunately this makes the last
    accessed time in NTFS one of the more useless items, since if you're looking
    at the files in windows explorer, they are always going to be accessed
    recently.

    -----Original Message-----
    From: Frank Heyne [mailto:fhrcs.urz.tu-dresden.de]
    Sent: Wednesday, August 15, 2001 10:43 AM
    To: jfolkertsmarketlink.ca; FOCUS-MSsecurityfocus.com
    Subject: RE: NTFS Access times

    On 15 Aug 2001, at 10:59, jfolkertsmarketlink.ca wrote:

    > I am very curious as to why or how
    > these files got "touched". At this point I do not suspect that the server
    > has been compromised or anything evil.

    I did the following:

    cd \winnt\system32
    dir hal.dll /ta

    This showed exactly the current time - I do not know why.

    Then I tried it with another dll:

    dir h323msp.dll /ta
    It showed the install date

    But after I viewed the properties of this file in the explorer, the last
    access time had changed.

    So it would be possible someone did just view the properties of some
    files on your system - probably nothing dangerous.

    BTW, in your original post, I miss the following information:
    How long are you running tripwire? Since 2 days or longer?

    BTW, did you know that it is possible to view the content of a file without
    changing its last access time under NT?

    Frank Heyne