Security Basics mailing list archives

Re: Hacked again???

From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Mon, 27 Jun 2005 11:30:32 +0200

On 2005-06-21 Christoph 'knurd' Jeschke wrote:

Valentin Höbel schrieb:

so for the appearance of the process, he has to start the messenger
one time.


And the integrity of the msnmsgr.exe is important, too. Malware can
easily replace a existing msnmsgr.exe or simply create a new one at
another place (like Rbot did - especially if a user is over-
privileged.

To be sure, the OP should take sysinternals Process Explorer.


If he was using an overly privileged account that may not suffice, since
a rootkit may manipulate what Process Explorer gets to see. I would
recommend using RootkitRevealer in addition to Process Explorer. Even
better would be to boot some other system (Knoppix, BartPE, ... you name
it), get the checksum of the binaries in question and compare them to
the checksums on a known-good system.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

Current thread:

Hacked again??? Mauricio Fernandez (Jun 15)
- 答复: Hacked again??? Yu Haitao David (Jun 16)
  - Re: 答复: Hacked again??? Vijay Vikram (Jun 27)
- Re: Hacked again??? Mark Bassett (Jun 16)
  - Re: Hacked again??? zilb (Jun 20)
    - Re: Hacked again??? Valentin Höbel (Jun 20)
    - Re: Hacked again??? Christoph 'knurd' Jeschke (Jun 21)
    - Re: Hacked again??? Ansgar -59cobalt- Wiechers (Jun 27)
- Re: Hacked again??? Christoph 'knurd' Jeschke (Jun 17)
- <Possible follow-ups>
- Re: Hacked again??? mod . sparda (Jun 16)
- Re: Re: Hacked again??? s . omahony (Jun 17)
- Re: Re: Hacked again??? Phil Cryer (Jun 20)