> Very likely, they copied winnt\system32\cmd.exe to > \scripts\dr.exe. If you check file sizes and dates > modified, they should be identical. The reason why is > because they cannot run cmd.exe from the system32 > directory, they have to run it from the scripts folder > (I think. Can anyone else confirm this?). No, there is no problem running cmd.exe from it's place in system32 (that's how they get cmd.exe copied to /scripts/), but each time requires executing whatever exploit they've used. To make it easier you copy cmd.exe to the scripts dir so you can execute it directly. This also cuts down on IDS hits and system logs that look very suspicious. -Jon ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 15:35:21 PDT