December 9th, 2003, 07:02 AM
unknowen user added themself with full permissions XP
A unknowen user has poped into my system. I have file shareing enabled for my network and this user has somehow added themself to certian folder shares with full permissions. It is a numeric username and apears it might have been machine generated but I am unsure. Each time this user apeard in my shares I deleted without thinking to take a screenshot. However the user can still be seen in my registry as attached. My administrative tools, computer management does not list this user. And this is what I don't understand.
Can someone help me out, might I have become comprimized, or perhaps a machine generated user for shareing purposes.
Should I be woryed?
December 9th, 2003, 07:33 AM
No worries, mate. That's the local system account. It should have full access to everything.
December 9th, 2003, 07:36 AM
I just checked my registry and have the same person, but I have no shared files or printers. As a matter of fact my sharing is disabled for the sheer fact of intrusion which I understand is not an option for you on a network. I would save the settings and change the values if you are that worried. Sometimes by changing the values you can ruin or distort what the intuder (if there is one) is seeing or has the ability to run. Just a thought and I am sure someone has way better ideas, but I thought I would share my experience.
December 10th, 2003, 01:14 AM
Thank you, glad its my system. My file shares are not visible with network scaners as I have tested outside my network, so it seemed strange how this account apeared.
This makes me feel much safer now that my system is the culprit. Thanks.
December 10th, 2003, 02:56 AM
I also have the same users under my registry. Do you have Visual Studio .net installed in your computer? I think the users added in your registry was a result of installing dot net..
December 10th, 2003, 09:31 AM
This SID, S-1-5-18 is the "LocalSystem" account. You can see this here
It isn't a security risk, so there is nothing to worry about.
I don't know why it's shown in numeric form in an ACL box, rather than "NT Authority\LocalSystem", as I would expect.