Re: Possible DoS attack to NT boxes running OpenNT 2.1

From: David LeBlanc (dleblancat_private)
Date: Sat Aug 15 1998 - 12:24:34 PDT

Next message: Robert Fesig: "Re: Possible DoS attack to NT boxes running OpenNT 2.1"

Previous message: Duncan Simpson: "Linux 2.1.115 network capability patch"
Maybe in reply to: Nemo: "Possible DoS attack to NT boxes running OpenNT 2.1"
Next in thread: Robert Fesig: "Re: Possible DoS attack to NT boxes running OpenNT 2.1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 06:35 PM 8/15/98 +0200, n3m0 wrote:

>I'm sorry but I can't agree with this. I am the system administrator and I
>have tested it thoroughly before I send my first post and I have tested
>again before sending this new one. I have tried the experiment from accounts
>with different access rights, even administrative ones, and NO ONE on the
>system (Administrators included) could kill the process. They seem to be
>"protected" system tasks. They may inherit this property from its parent
>POSIX processes.

>I couldn't find any file called TKILL.EXE, so I tryed to kill them trough
>the Task Manager and the kill command, but none of them were able to free
>the resources.

I'm not familiar with tkill, but there are more than one kill apps running
around.  Not to be a smartass, but you did give the kill a -9?  The deal
here is that you need to be able to open the process.  If you don't have
explicit rights to open the process, you need to have debug rights so that
you can open someone else's process.  If you enable debug in your process,
_then_ try to open the process, it will open, and you can then terminate
it.  Some versions of kill do this, some don't.

Another trick I saw (in NT mag, I think) was to use the scheduler to start
an instance of the task manager running under the context of LocalSystem.
That will nuke just about anything, and can be done from any NT box where
you are logged in as admin.  If you go nuking certain system processes,
you'll BSOD, so don't get too adventurous.

Something else that would be of help would be an app called exetype, which
is in the Resource Kit.  I don't know which calls it makes to find this
out, but it can tell the difference between a character mode app and a GUI
app.  The OpenNT telnet daemon could make the same calls to check whether
the app was something that should be run, and you could make a perl script
to tell you which apps were command line so that you could ACL things
easily by using a group as you suggested - create a "telnet users" group,
and deny them access to GUI apps.

David LeBlanc
dleblancat_private

Next message: Robert Fesig: "Re: Possible DoS attack to NT boxes running OpenNT 2.1"
Previous message: Duncan Simpson: "Linux 2.1.115 network capability patch"
Maybe in reply to: Nemo: "Possible DoS attack to NT boxes running OpenNT 2.1"
Next in thread: Robert Fesig: "Re: Possible DoS attack to NT boxes running OpenNT 2.1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:12:50 PDT