Full Disclosure mailing list archives
Exploited??
From: "Hank Kester" <hank () burningriver net>
Date: Mon, 28 Jul 2003 15:58:14 -0500
Here I was, freshly installing win2k with sp4. 4 error messages popped up in a row, unhandled exception in svchost.exe. I stupidly didn't get the locations, because I dismissed it as a random bug. It then occurred to me that this may be how the recent RPC exploits on the end user's system. When I tried to open the Task Manager, to see if any other processes had been started, it stayed open for only a fraction of a second. There was one foreign task, sysengr.exe . A search of Google revealed nothing for this filename. I tried to delete it, but first had to rename taskmgr.exe to a random name so that it would stay open, instead of being closed. After this, sysengr.exe was easily ended, and the file was removed (I have a copy available, should anyone want to study it.) The only other side effect I noticed was that I was unable to open regedit, presumably in an attempt to keep me from removing the program from startup. Thank you for any information you might have on what else I should look for on this system, besides the obvious patching which I was in the process of doing when this came up. -Hank Kester
Current thread:
- Exploited?? Hank Kester (Jul 28)