Re: 'rooted' NT/2K boxen?

From: H C (keydet89at_private)
Date: Fri May 03 2002 - 06:54:15 PDT

  • Next message: Brenna Primrose: "RE: Windows Systems Defaced"

    I understand that you didn't get to do a forensics
    analysis of the system, but did you get a chance to
    actually look at the fport output?  Also, when you say
    that lb.exe hid the processes from "all monitoring
    agents", what are you referring to?  Did you get to
    see any of the output of any tools?  If so, do you
    still have copies?
    Do you have any idea in Russia where this "lb.exe"
    came from?  Is there anything in the snort or IIS logs
    that points to the site?  Do you still have a copy of
    the FTP script file used?
    > Yeah, sorry, I meant Task Manager. I unfortunately I
    > don't have a copy
    > of lb.exe, although it was impressive. It did a
    > great job of hiding all
    > of the processes from all monitoring agents. The
    > only reason the person
    > knew they had it was they had Snort running. It
    > caught and logged the
    > Unicode attack. They were running IIS 5.0 on a
    > Win2000 machine, too.
    > Netstat didn't show the open port connecting to the
    > IRC channel, and
    > neither did fport. There was even a GUI menu that
    > showed which processes
    > were hidden and which one's weren't. You could
    > choose which things to
    > hide, and which ones to let show. All of the normal
    > methods of gathering
    > system info were on the menu. I didn't get to make a
    > complete forensic
    > examination because the user of the box had messed
    > around with things
    > before I got there.
    Do You Yahoo!?
    Yahoo! Health - your guide to health and wellness
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Fri May 03 2002 - 08:36:43 PDT