Re: 'rooted' NT/2K boxen?

From: H C (keydet89at_private)
Date: Thu May 02 2002 - 15:42:39 PDT

  • Next message: Cody Hatch: "Re: 'rooted' NT/2K boxen?"

    Of all of the responses I've seen so far, yours is by
    far the most informative.  Thanks.
    > I saw a Win2000 machine rooted just last week by an
    > autorooter taking
    > advantage of the pre-10pack rollup Microsoft put out
    > just recently. It
    > was hacked through a Unicode attack by an
    > auto-rooter from Russia,
    > connected to an ftp site in Moscow and downloaded a
    > file named "lb.exe",
    I guess the specifics are that using the dir
    transversal exploit (patch published in Nov
    '00...ouch!), this autorooter sent echo commands to
    the system to create and launch the ftp script file.
    Do you have a copy of "lb.exe", by chance?
    > which, when run connects to an IRC server in Moscow,
    > loads an
    > auto-rooter with a list of servers to attack, and
    > hides the processes
    > from netstat, Program Manager, etc. It was pretty
    > slick.
    This is interesting.  First off, neither netstat nor
    Program Manager show process information, so hiding
    process info from them isn't tough.  I'm going to
    assume you mean Task Manager...but again, that's an
    API call to hide a process from TM.  Netstat on XP
    will show process info, but not on NT/2K.  
    I'd be interested in getting a copy of lb.exe to look
    at, or some more specifics on this ability to hide
    processes you mentioned...
    Do You Yahoo!?
    Yahoo! Health - your guide to health and wellness
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Thu May 02 2002 - 15:47:02 PDT