Yeah, I understand that a reboot is likely required to overwrite key system files. And that it probably requires Administrator access. Yup. My question was based on after all the above likely happens to the hapless user/administrator. (I know no-one out there logs in as admin equivalent for day to day use, right?) I've seen lately servers behind hardware firewalls (decently locked down) with NAV up to date and still don't KNOW that they haven't been somehow affected. Apart from the whole IDS/IPS discussion, I was looking for a more basic way to verify what was actually running on the server. Again, thanks for the input and I'll check out Tripwire... -Faith >>> "Andrew Plato" <aplato@private> 7/28/2003 10:17:51 AM >>> Yes, you are correct. Windows will essentially run anything as long as it is in the right place. However, it is not easy to replace such key files. Windows won't just allow you to copy over key OS files while the system is running. They are locked. Usually a reboot is necessary and a variety of file maneuvering is necessary. Usually this must be part of some worm (automated to do such things) or a savvy hacker who can stage files and the shell into the machine. Therefore, the key is to stop such intrusions before they happen. Anti-virus and host-based IDS/IPS is also a good idea. Even a cheap "personal firewall" is better than nothing. Another way to control such things is to use a file integrity monitor. That way when explorer.exe changes, you get an alert. If its part of a patch, then you can be reasonably certain its okay. If suddenly explorer.exe changes at 4:15 on a Monday afternoon, for no reason, then you have cause for alarm. Tripwire is a good file monitor. Others out there exist. You can even use BlackICE ($29.95 at Frys) to do this. See my paper at: http://www.anitian.com/Corp/papers/BI%20AC%20tweaking.pdf Another thing you might consider is doing periodic spyware checks on the machine. I prefer Spybot Search and Destroy (just type Spybot into Google, you'll find it). Its freeware and its very good. It even has a very handy "immunize" feature that can prevent 400+ trojans from ever getting on to your system. I am not aware of a single resource that lists all the possible perturbations of key Windows files. Microsoft might have something like that, but I've never seen it. ___________________________________ Andrew Plato, CISSP President / Principal Consultant Anitian Corporation Enterprise Security & Infrastructure Solutions 503-644-5656 Office 503-644-8574 Fax 503-201-0821 Mobile www.anitian.com ___________________________________ > -----Original Message----- > From: owner-crime@private [mailto:owner-crime@private] > On Behalf Of Faith Baynes > Sent: Monday, July 28, 2003 9:22 AM > To: crime@private > Subject: CRIME Windows processes > > > OK - let's get the obligatory ewwww out of the way. Some > companies do use Windows servers. That's life. > > Anyway, is there a list out there somewhere of what processes > run in say, an average Win2k SP3 Server install? Let me > qualify - a reputable list? Usually I'm stuck searching for > an exe that's running in google. I see some sites that > contain lists of processes but I don't get the warm fuzzies > that this is a definitive answer... Ideally, what I'd like is > program.exe does THIS and runs from THIS location and should > have THIS file size and date. In the field, I have not found > MS's knowledgebase to be of help in this area. > > It is possible for a process that looks like a windows > process to be in fact, something less desirable, right? I am > assuming that windows will happily load explorer.exe as long > as the exe is where windows expects it to be regardless of > the altered file size or date... > > So.... does such a resource exist? > > Thank in advance for any input. > > -Faith > > >
This archive was generated by hypermail 2b30 : Mon Jul 28 2003 - 10:59:56 PDT