Archived from groups: microsoft.public.win2000.security (
More info?)
That probably is the default administrative shares you are seeing such as C$, etc.
Those are hidden and only available to administrators. If you have no reason to share
folders on our server you can [and should] disable or uninstall file and print
sharing. Note if you do disable it that you can not use Computer Management or other
utilities that rely on it, though you can use Terminal Services in remote
administrative mode if need be. On a web server it is also a great idea to run the
IIS Lockdown tool for your version of IIS, though I would not recommend doing such
without a full backup first including the System State and IIS configuration via the
IIS Management Console. Hopefully you are using a firewall to restrict both inbound
AND outbound traffic to authorized traffic. In a pinch you can use the built in ipsec
to create a filtering policy to manage outbound traffic if need be to allow outbound
only from ports 80 and 443 tcp, etc on your web server. The nice thing about ipsec
policy is that they take effect almost immediately after you assign or unassign it -
no software to install or a reboot required. --- Steve
http://www.microsoft.com/technet/security/tools/locktool.mspx
http://www.winnetmag.com/Article/ArticleID/24273/24273.html
http://www.securityfocus.com/infocus/1559
"Serg" <serg@discussions.microsoft.com> wrote in message
news:21c9901c45ae2$f7d3d420$a001280a@phx.gbl...
> I have noticed, on each server restart, on all hard drives
> is activated File Sharing. There is no sharing icon in
> Windows Explorer, but when I go to HD Properties the
> sharing is enabled.
> It is very hard for me to reinstall OS, because this is an
> active Web Server.
>
>
> >-----Original Message-----
> >That is interesting as apparently something is causing
> that behaviour. Maybe
> >you are unlucky enough to have one of the root kit system
> compromises that
> >will not be detected by normal means, and I am not sure
> what the best way is
> >to detect one but if it was my computer I would reformat
> and reinstall as I
> >suggested before if nothing obvious turned up that was
> easily fixed. Below
> >is a link to an article on root kit attacks. Also search
>
http://Google.com
> >web AND news for "windows root kits" if interested.
> >
> >http://www.securityfocus.com/news/2879
> >
> >If you want to try more detailed analysis of what is
> going on in your
> >operating system I would suggest some free tools from
> SysInternals that can
> >do far beyond what Task Manager will do but it may be
> difficult to pinpoint
> >a rouge process unless you can compare to a known clean
> [hopefully prisitne]
> >like configured system. You may however track a process
> back to an folder or
> >an executeable. In particular TCPview, Process Explorer,
> PsList, and
> >Autoruns may be helpful. --- Steve
> >
> >http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
> >
> ><anonymous@discussions.microsoft.com> wrote in message
> >news:2137201c45a74$346d21d0$a101280a@phx.gbl...
> >>
> >> >-----Original Message-----
> >> >First off you have either been hacked or infected and
> >> need to take measures to remedy
> >> >that which may ultimately be to back up your data
> >> including your profile folders
> >> >under documents and settings and reinstalling your
> >> operating system. A full virus
> >> >scan with up to date definitions is needed and there
> are
> >> online sites such as the one
> >> >below that can help you. I would also run a parasite
> >> removal program such as AdAware
> >> >with the latest definitions which could find things
> >> missed by a virus scan program.
> >> >
> >>
> >> Thank you for your detailed reply. Unfortunately, I have
> >> been using latest definition of NAV, and few spyware
> >> programs, anty Trojan software, and nothing was
> detected.
> >> There is no visible suspected process in Task Manager, I
> >> can tell.
> >> >http://security.symantec.com/sscv6/default.asp?
> >> langid=ie&venid=sym
> >> >http://www.lavasoftusa.com/software/adaware/
> >> >
> >> >After you remedy that situation be sure that your virus
> >> scan program scans all your
> >> >emails, that you use a firewall, keep current with
> >> critical updates at Windows Update
> >> >which can be done automatically, and never use less
> than
> >> the default medium security
> >> >level for Internet Explorer internet web content zone.
> >> Also see that last link for
> >> >tips on removing files that you can not delete that may
> >> involve the use of some free
> >> >third party tools to find and kill the process using
> the
> >> file. --- Steve
> >> >
> >> >http://www.microsoft.com/security/protect/
> >> >http://mvps.org/winhelp2002/unwanted.htm#
> >> >http://support.microsoft.com/?kbid=320081
> >> >
> >> >"serg" <serg@discussions.microsoft.com> wrote in
> message
> >> >news:2131601c45a37$d4af35d0$a501280a@phx.gbl...
> >> >> Something (somebody) is generating a new folder named
> >> >> multimple digits/letters on my hard drive (Server
> 2000)
> >> >> every day.
> >> >> I can't delete it, because "directory not empty,
> files
> >> >> used by a proccess".
> >> >> I have tried to do it in Safe Mode & DOS with no
> >> success.
> >> >> How can I find out what proccess to kill, when the
> >> >> directories are hidden by name "."?
> >> >>
> >> >> Please help.
> >> >>
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >