Security Basics mailing list archives
Re: Possible Trojan.
From: H Carvey <keydet89 () yahoo com>
Date: 28 Oct 2003 11:46:30 -0000
In-Reply-To: <20031027194238.14184.qmail () sf-www1-symnsj securityfocus com> Comments/questions inline:
Have a buddy complaining about his AOL account password being stolen every time he logs onto AOL from his PC at work.
Did he happen to mention what it is that makes him think this? I ask, simply b/c I do some helpdesk work during my day-to-day activities and very often get really intelligent users who make certain assumptions that, well, are a little off base.
I talked him through doing an fport on his box and he sent me the results:
Given the number of times svchost.exe appears, is this an XP box? I know that by default, the installation path for XP is "Windows", not "Winnt", but I have seen this modified during install by admins.
I'm really concerned with the last one: 228 winlogon -> 1053 UDP \??\C:\WINNT\system32\winlogon.exe
That path is legit, for both XP and 2K. You might want to check out the file itself, w/ a 'dir'...on 2K, my file is about 178K in size, whereas on XP it's 430K. I'm guessing that when I get to work and take a look at my system, I might see a similar entry...none of my test boxes are in a domain.
I've found some things on the net that say it's legit, I've found others that say it's indicative of a backdoor.
Do you have links to those sites? Remember, just b/c it's on the Internet doesn't mean it's true... ;-)
I ran fport on my box and did not have any entries like that. Does anyone have any information on this? Are there other entries that attract anyone else's attention?
I don't see anything that really jumps out. I would suggest that you have your buddy get listdlls.exe from SysInternals.com and run it, then send you the output. What you'll want to look at is the command line used to launch each process. You can also use tlist.exe from MS...but be sure to get the one that comes in the debugging tools, not the RK. Other thoughts...dump the contents of the ubiquitous "Run" keys. Also, you might consider getting a listing of the services and device drivers...I have a Perl script for this, but I don't think that this will be of use to you. Finally, go ask your buddy what makes him think that his AOL password is being stolen when he logs on... HTH, Harlan --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
Current thread:
- Possible Trojan. Gene (Oct 27)
- RE: Possible Trojan. Bob Beck (Oct 27)
- Re: Possible Trojan. Charles Funderburk (Oct 27)
- <Possible follow-ups>
- Re: Possible Trojan. H Carvey (Oct 28)
- Re: Possible Trojan. John T. Hoffoss (Oct 29)
- Interesting sniffer packet JGrimshaw (Oct 30)
- Re: Possible Trojan. John T. Hoffoss (Oct 29)