At 12:06 AM 05-11-2000 -0800, Robert Freeman wrote: >A reboot is helpful unless the NT box is not password protected or has an >agent to automatically enter the password upon startup. Until an admin shows >up the box is basically useless. AFAIK the services still start after a reboot. So the trojaned box still scans the whole internet. >Secondly, the ExitWindowsEx function in user32.dll can: 1) log off a user; >2) shutdown (and power down on ACPI motherboards); 3) reboot. This function >is utilized by shutdown.exe which can be called via WinExec or in the >following mannor: "cmd /C shutdown." >WinExec is accessable via the native api / INT 2E gate in the event the call >is being debugged/hooked. Actually try NtDll.NtShutdownSystem if you decide >to write code to use the native api (I can go into more depth on how to do >this if you want). I did try that. The log off works, but the shutdown doesn't. Unless I really have to I don't want to have to upload code (to call that priv routine and then call the shutdown) to the target and get it to run it. So is it impossible to remotely shutdown (properly) a default install NT machine (no reskit stuff, just infected with codered/nimda)? I guess I'll try the cmd /c echo tab backspace thingy when I have time. Not a proper shutdown tho. But at this moment it looks like default NT installations don't make remote shutdowns easy (just remote crash/root doh! ;) ). Cheerio, Link.
This archive was generated by hypermail 2b30 : Thu Nov 08 2001 - 19:06:59 PST