RE: Compromised Win2000 machine.

From: H C (keydet89at_private)
Date: Wed May 29 2002 - 10:11:17 PDT

  • Next message: Liston, Kevin C, SOLCM: "RE: New Stacheldraht?"

    > look under services, find all remote procedure
    > calls, look at the properties
    > of each one, specifically notating the actual path
    > to the called program,
    > liekly you'll find one of those do not go to the
    > winnt directory, stop that
    > service. You may want to go thru all of your
    > services that are active, and
    > look at the program name and location of the program
    > to make sure you
    > recognize all of them, the ones you dont, take a
    > little further look into.
    It's not clear why checking the services is the way to
    go on this...IMHO, I'd check the processes instead. 
    Running tools like fport, netstat, handle, listdlls,
    and pslist will get a fairly complete snapshot of
    what's going on on the system, and then using a tool
    ( to
    consolidate that info for easy viewing might be a
    better way to go. 
    Danny took the typical action seen of most
    admins...port scanning the system from the outside,
    and comparing the open ports to lists of known trojans
    and services.  This is inconclusive at best, and leads
    to a lot of speculation and time-wasting.  Better to
    run fport on the system (if NT/2K...if the system is
    XP, run netstat w/ the '-o' switch) instead, to see
    the process to port mapping.
    Do You Yahoo!?
    Yahoo! - Official partner of 2002 FIFA World Cup
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Wed May 29 2002 - 10:26:12 PDT