Re: 'rooted' NT/2K boxen?

[H C <keydet89 () yahoo com>]

Cody, 

Of all of the responses I've seen so far, yours is by
far the most informative.  Thanks.

> I saw a Win2000 machine rooted just last week by an
> autorooter taking
> advantage of the pre-10pack rollup Microsoft put out
> just recently. It
> was hacked through a Unicode attack by an
> auto-rooter from Russia,
> connected to an ftp site in Moscow and downloaded a
> file named "lb.exe",

I guess the specifics are that using the dir
transversal exploit (patch published in Nov
'00...ouch!), this autorooter sent echo commands to
the system to create and launch the ftp script file.

Do you have a copy of "lb.exe", by chance?

> which, when run connects to an IRC server in Moscow,
> loads an
> auto-rooter with a list of servers to attack, and
> hides the processes
> from netstat, Program Manager, etc. It was pretty
> slick.

This is interesting.  First off, neither netstat nor
Program Manager show process information, so hiding
process info from them isn't tough.  I'm going to
assume you mean Task Manager...but again, that's an
API call to hide a process from TM.  Netstat on XP
will show process info, but not on NT/2K.  

I'd be interested in getting a copy of lb.exe to look
at, or some more specifics on this ability to hide
processes you mentioned...


__________________________________________________
Do You Yahoo!?
Yahoo! Health - your guide to health and wellness
http://health.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com