Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:2474 |
Message | NETBIOS SMB-DS ADMIN$ share access |
Summary | This event is generated when an attempt is made to access the ADMIN$ administrative share of a Windows host. |
Impact | Serious. Possible administrator access to the host. Information disclosure. |
Detailed Information | By default, Windows hosts have default administrative shares of the local hard drives using the format %DRIVE_LETTER% + $. Anybody with administrative rights can remotely access the share. |
Affected Systems | Windows hosts. |
Attack Scenarios | An attacker may be attempting to access files located on the C drive of the host. |
Ease of Attack | Simple. |
Corrective Action | Disallow Netbios access from external networks (tcp port 139). |
Additional References | Arachnids: http://www.whitehats.com/info/IDS339 Microsoft: http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 |
--
DID:357495
--
http://www.aanval.com/