filename is my password -- anyone know about this
Results 1 to 10 of 10

Thread: filename is my password -- anyone know about this

  1. #1
    Member
    Join Date
    May 2003
    Location
    Somewhere in Texas
    Posts
    76

    Question filename is my password -- anyone know about this

    (Right forum for this?)

    I just happened to notice a file in my root (C:\) -- a 0 byte file whose name is my administrator password, created yesterday at 8:38 local (CST), yes, I was logged in at the time. There's nothing unusal about the permissions or attributes. There's no alternate data stream in it.


    Putting aside the myriad possible ways I could have brain-farted this and created it in my sleep -- anyone have any idea how or what *could* have done this? Have you seen this before?


    I'm thinking a failed harvest attempt by something...


    System is a pretty well locked down Win XP (locked down = server service off, messenger service off, most current Zone Alarm, non-essential services off, etc.). I run ClamWin every week. I just ran SpyBot, Adaware, and Hijackthis a couple of days ago -- cleaned the system of simple cookie tracking baddies. It has the most current security patches and cruft (NOT including SP2). I use Firefox (v.s. Exploder). -- Yes, you could say I'm careful...

    Ideas? (Cranial Rectal Inverssion?)

  2. #2
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Wild guess: any chance you might have buched a "runas" with a output redirection at the command line and somehow typed the admin password has filename or something like that?

    Ammo
    Credit travels up, blame travels down -- The Boss

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Disregarding the possibility that your password is autoexec.bat or boot.ini....

    Where you doing any maintenance at the time? Using a cmd prompt at the time?

    I'm thinking that becaise if you mistyped some things that would use an admin password you could inadvertently pipe your password as the filename for a file that ends up with no contents similar to me typing

    echo > mypassword.txt

    That creates a file with "Echo is on" in it but something else may create the file and place nothing in it.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Senior Member
    Join Date
    Jun 2004
    Posts
    281
    I can't think of anything besides either the two prior posts or something along the lines of malicious ware that did that with your password.

    Create a new password and see what happens.

    - MilitantEidolon
    Yeah thats right........I said It!

    Ultimately everyone will have their own opinion--this is mine.

  5. #5
    Member
    Join Date
    May 2003
    Location
    Somewhere in Texas
    Posts
    76

    It gets wierd-er

    Again, referring to a possible cranial rectal inverssion, no, I don't recall entering my password at a command prompt and piping it into a file...



    I don't have any scripts that connect drives, if I did, I'd use an astericks and not the password. There's no AT scripts scheduled, nothing in Scheduler service (it's disabled too).


    Some additional information, it gets wierd-er:

    At 8:38 (the time the file was created) the messenger service was started (according to Event Viewer). Upon checking the messenger service in services, I find that it is indead DISABLED, but in fact STARTED. Go figure!

    Sorry to hand out such a tough one so late in the day...

  6. #6
    Senior Member
    Join Date
    Jun 2004
    Posts
    281
    Run Trend Micro's Housecall Scanner (http://housecall.trendmicro.com/) see if you find anything new.

    On top of that I would run a security scan on your ports at http://scan.sygate.com/.

    I would also reboot in safe-mode and run my adware scanners again.

    These are the things I would do is something like that happened to me.

    Worst that can come of this is you find a hole that needs to be fixed or no holes.

    - MilitantEidolon
    Yeah thats right........I said It!

    Ultimately everyone will have their own opinion--this is mine.

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    You may find the thread here interesting and informative.

    Hope this helps
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Member
    Join Date
    May 2003
    Location
    Somewhere in Texas
    Posts
    76
    Thanks all.

    Will try the safe mode and the link.

    I scan the system often (we do pen testing...) and never saw anything strange -- am very paranoid here, knowing what's possible out there, that's why this one wierded me out.

    Thanks for letting me share. I'll post more if I find something. (I just KNOW I had to fat finger something, but for the life of me, I can't think of what or how!)


    Cheers!

  9. #9
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    You might want to try to find out if any other files were created at (or around) that time using something like

    dir /T:C /S c: |find "2004-08-11 8:38"

    or written to

    dir /T:W /S c: |find "2004-08-11 8:38"

    or accessed

    dir /T:A /S c: |find "2004-08-11 8:38"


    Ammo
    Credit travels up, blame travels down -- The Boss

  10. #10
    Senior Member
    Join Date
    May 2004
    Posts
    274
    Last week i installed clamwin(testing purposes, i generally use kaspersky) and i noticed last night that my vsmon service is taking up all my processor (i have zonealarm 5). I looked thru my HDD i saw some weird files. I then installed kaspersky it caught more than dozens of worms and trojens (that came into the system when clamwin was running). Therefore i will suggest u to install any other AV than clamwin. May be it solve ur mystery.
    Excuse me, is there an airport nearby large enough for a private jet to land?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •