Re: Compromised Win2000 machine.

From: H C (keydet89at_private)
Date: Wed May 29 2002 - 19:09:32 PDT

  • Next message: Rainer Duffner: "Re: AW: strange .ch scan by 195.141.86.145"

    Some additional thoughts on this particular issue...
    
    > ...but I thought the advice for a (possibly)
    > compromised box was *not* 
    > to run executable programs that resided on that
    > host, as they can't be trusted?
    
    While I definitely recommend burning your tools...even
    the ones shipped w/ NT/2K, including cmd.exe...to a
    CD, to be quite honest, has anyone ever actually seen
    a system w/ a trojaned netstat?  Now, I know many
    folks are going to pump their arms into the air...so
    let me clarify...this is a 2K box.  Has anyone ever
    seen a trojaned cmd.exe or netstat.exe?  Has anyone
    seen netstat.exe on an NT or 2K system "trojaned" so
    as to NOT show certain connects...but otherwise, it
    works fine?
    
    Remember...the Linux/*nix architectures are different
    from that of NT/2K...and XP.  I'm not saying that this
    can't be done...I'm simply asking if anyone can show,
    with proof, that this *has* been done?  And it doesn't
    have to be just netstat.exe...it can be any other
    native tool.  And binding the .exe file using
    SaranWrap or EliteWrap doesn't count, as the basic
    functionality still exists and all network connects
    (netstat) will still be shown...
    
    
    
    __________________________________________________
    Do You Yahoo!?
    Yahoo! - Official partner of 2002 FIFA World Cup
    http://fifaworldcup.yahoo.com
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu May 30 2002 - 09:35:16 PDT