> In task mgr, The application 'address' (w/o quotes) > is running and is linked > to the explorer.exe proc. What do you mean by "linked"? What does this mean, and what did you do (or what tool did you use) to verify or discover this? > <!--begin the obvious--> > I verified that the explorer.exe was the correct > size. There was only 1 > running with a normal thread count. Okay...but what do you consider 'normal'? > I checked hklm...\currentversion\run(run > once,services) and nothing was in > it. Stat up, same, nothing. What? What does "stat up, same, nothing" refer to? > I ran fport and fscan and nothing out of the > ordinary popped up; netstat -a > also > did not show anything out of the ordinary. I also > ran several other > scanners against the > machine and no known vulns that were unexpected > popped up. Okay...but if the process is on the machine, why are you running scanners against it? > IIS, Index service, etc are not running. All > mappings removed, services > disabled. Sp2, all app > hotfixes installed. Pretty secure machine when run > against normal audits. > It is facing the public > so the standard extra precautions have been taken. > <!--end the obvious--> All of that may have been obvious to you, but please understand...most of us have no idea what you consider to be "standard extra precautions". Hotfixes are all good and fine...but did you unbind NetBIOS from the Interface, leaving only TCP/IP? > If anyone has seen this before please let me know. > A search on google did not provide > any solid leads. I did follow thru on checking for > known code > red/nimda/things that were > close but not really leads. > > I appreciate any insight from the list. > > Oh, and please don't bother to tell me to blow away > the OS and start from > scratch. > While I appreciate the suggestion, i'm looking for > leads, not the obvious. Well, first off, "blowing away the os" is hardly what I would call an "obvious" answer. More like that answer slung about by those who aren't knowledgeable. Here's what I would suggest...go to SysInternals.com and get a copy of handle.exe, listdlls.exe, and pslist.exe (from the PSToolkit). These are all CLI tools, so you may want to redirect their output to a file... Run the tools. Pslist will give you some specifics about this "address" process...PID, times, etc. From handle.exe, you should be able to get the user context that the process is running under, plus the handles (files, semaphors, etc) the process has open. ListDlls will show you not only the DLLs the process depends on, but also the command line used to launch the process. Also, the CreateProcess() API call requires the full path to the executable as it's first argument, so you should be able to find a copy of "address.exe" someplace on your system. Happy hunting. Let me know if you need any help. __________________________________________________ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 02 2002 - 20:19:20 PDT