I found a odd application running on a 2k server box that I have not seen before, or is at least not obvious to me. In task mgr, The application 'address' (w/o quotes) is running and is linked to the explorer.exe proc. <!--begin the obvious--> I verified that the explorer.exe was the correct size. There was only 1 running with a normal thread count. I checked hklm...\currentversion\run(run once,services) and nothing was in it. Stat up, same, nothing. I ran fport and fscan and nothing out of the ordinary popped up; netstat -a also did not show anything out of the ordinary. I also ran several other scanners against the machine and no known vulns that were unexpected popped up. IIS, Index service, etc are not running. All mappings removed, services disabled. Sp2, all app hotfixes installed. Pretty secure machine when run against normal audits. It is facing the public so the standard extra precautions have been taken. <!--end the obvious--> If anyone has seen this before please let me know. A search on google did not provide any solid leads. I did follow thru on checking for known code red/nimda/things that were close but not really leads. I appreciate any insight from the list. Oh, and please don't bother to tell me to blow away the OS and start from scratch. While I appreciate the suggestion, i'm looking for leads, not the obvious. Thanks, Mike -------------------------------------------------------- \Your mission is to destroy users will to use bandwidth/ -------------------------------------------------------- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 02 2002 - 15:30:15 PDT