Security Basics mailing list archives
Re: Hacked again???
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Mon, 27 Jun 2005 11:30:32 +0200
On 2005-06-21 Christoph 'knurd' Jeschke wrote:
Valentin Höbel schrieb:so for the appearance of the process, he has to start the messenger one time.And the integrity of the msnmsgr.exe is important, too. Malware can easily replace a existing msnmsgr.exe or simply create a new one at another place (like Rbot did - especially if a user is over- privileged. To be sure, the OP should take sysinternals Process Explorer.
If he was using an overly privileged account that may not suffice, since a rootkit may manipulate what Process Explorer gets to see. I would recommend using RootkitRevealer in addition to Process Explorer. Even better would be to boot some other system (Knoppix, BartPE, ... you name it), get the checksum of the binaries in question and compare them to the checksums on a known-good system. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- Hacked again??? Mauricio Fernandez (Jun 15)
- 答复: Hacked again??? Yu Haitao David (Jun 16)
- Re: 答复: Hacked again??? Vijay Vikram (Jun 27)
- Re: Hacked again??? Mark Bassett (Jun 16)
- Re: Hacked again??? zilb (Jun 20)
- Re: Hacked again??? Valentin Höbel (Jun 20)
- Re: Hacked again??? Christoph 'knurd' Jeschke (Jun 21)
- Re: Hacked again??? Ansgar -59cobalt- Wiechers (Jun 27)
- Re: Hacked again??? zilb (Jun 20)
- 答复: Hacked again??? Yu Haitao David (Jun 16)
- <Possible follow-ups>
- Re: Hacked again??? mod . sparda (Jun 16)
- Re: Re: Hacked again??? s . omahony (Jun 17)
- Re: Re: Hacked again??? Phil Cryer (Jun 20)