Re: 'rooted' NT/2K boxen?

From: Cody Hatch (codyat_private)
Date: Thu May 02 2002 - 19:30:16 PDT

  • Next message: Stephen W. Thompson: "Re: Windows Systems Defaced"

    Yeah, sorry, I meant Task Manager. I unfortunately I don't have a copy
    of lb.exe, although it was impressive. It did a great job of hiding all
    of the processes from all monitoring agents. The only reason the person
    knew they had it was they had Snort running. It caught and logged the
    Unicode attack. They were running IIS 5.0 on a Win2000 machine, too.
    Netstat didn't show the open port connecting to the IRC channel, and
    neither did fport. There was even a GUI menu that showed which processes
    were hidden and which one's weren't. You could choose which things to
    hide, and which ones to let show. All of the normal methods of gathering
    system info were on the menu. I didn't get to make a complete forensic
    examination because the user of the box had messed around with things
    before I got there.
    
    Cody Hatch
    HALO Network Security
    
    > Cody, 
    > 
    > Of all of the responses I've seen so far, yours is by
    > far the most informative.  Thanks.
    > 
    > 
    > I guess the specifics are that using the dir
    > transversal exploit (patch published in Nov
    > '00...ouch!), this autorooter sent echo commands to
    > the system to create and launch the ftp script file.
    > 
    > Do you have a copy of "lb.exe", by chance?
    > 
    > This is interesting.  First off, neither netstat nor
    > Program Manager show process information, so hiding
    > process info from them isn't tough.  I'm going to
    > assume you mean Task Manager...but again, that's an
    > API call to hide a process from TM.  Netstat on XP
    > will show process info, but not on NT/2K.  
    > 
    > I'd be interested in getting a copy of lb.exe to look
    > at, or some more specifics on this ability to hide
    > processes you mentioned...
    > 
    > 
    > __________________________________________________
    > Do You Yahoo!?
    > Yahoo! Health - your guide to health and wellness
    > http://health.yahoo.com
    > 
    >
    ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management 
    > and tracking system please see: http://aris.securityfocus.com
    > 
    > 
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu May 02 2002 - 22:20:22 PDT