Unknown IP Addresses in the Shared Folder Sessions Area

[AnthonyCasta]

I'm running a windows 2000 advanced server network, which consists of 3 servers ... I recently discovered that on all of my servers within the shared folders, sessions there are some unknown outside IP Addresses in there ...

Some have 1 open file others have 2 and one has 4 ..

I noticed that the logon time and the idle time is almost the same, as if they logged in and then sat there??? ...

When I view the open files there are some listed as \PIPE\BROWSER and \PIPE\SMBA

I closed the sessions and they seem to come back .. Do I have a hacker???

I do host my own website, but at the moment it is only one page, I can't see why someone would be looking at it for 8+ hours!!!!

Thx ... Tony

 

[NetIntruder]

are there any other open files that are running? Do you see anything in task manager processes that look abnormal?

~Intruder~
CEH, CISSP, MCSA/MCSE 2000/2003

"The Less You Do, The Less Can Go Wrong"

 

[AnthonyCasta]

The only other open files that are running are ...

C:\Internet and
C:\Intranet

Which are my internet and intranet directories ... They are being accessed by known users on my network, actually they are accessed by the file server's login id ... They only have the read permission, where the \pipe\browser have the read+write permission.

The only two items in my task manager\processes list that I would question would be:
locator.exe &
mad.exe ...

Thx

 

[NetIntruder]

If you suspect an intruder in the slightest, you may want to put the Network Monitoring Tool on your server and do a few packet captures to see if you have traffic shipping out to the internet that you wouldn't expect.

~Intruder~
CEH, CISSP, MCSA/MCSE 2000/2003

"The Less You Do, The Less Can Go Wrong"