Some additional thoughts on this particular issue... > ...but I thought the advice for a (possibly) > compromised box was *not* > to run executable programs that resided on that > host, as they can't be trusted? While I definitely recommend burning your tools...even the ones shipped w/ NT/2K, including cmd.exe...to a CD, to be quite honest, has anyone ever actually seen a system w/ a trojaned netstat? Now, I know many folks are going to pump their arms into the air...so let me clarify...this is a 2K box. Has anyone ever seen a trojaned cmd.exe or netstat.exe? Has anyone seen netstat.exe on an NT or 2K system "trojaned" so as to NOT show certain connects...but otherwise, it works fine? Remember...the Linux/*nix architectures are different from that of NT/2K...and XP. I'm not saying that this can't be done...I'm simply asking if anyone can show, with proof, that this *has* been done? And it doesn't have to be just netstat.exe...it can be any other native tool. And binding the .exe file using SaranWrap or EliteWrap doesn't count, as the basic functionality still exists and all network connects (netstat) will still be shown... __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu May 30 2002 - 09:35:16 PDT