Full Disclosure mailing list archives
RE: Looking for a tool
From: Nicob <nicob () nicob net>
Date: Tue, 02 Mar 2004 13:43:48 +0100
On Tue, 2004-03-02 at 00:36, Schmehl, Paul L wrote:
Well, I usually use *sysinternals* Process Exporer, and have
yet to see it fail to list a process... how do you know the
process exists, if you can't list it?
Real simple. I have randomly named processes (like
gk5odre.exe) popping up, and when I kill them, another one
takes their place. *Something* has to be the parent than
controls this. I can delete an entire registry key and watch
it be recreated in less than a second. I can delete a
directory with three dlls in it and watch it be recreated
right before my eyes. I can kill the randomly named process
and watch it reappear using the same name or a completely
different name. I can delete the executable after killing the
process, and it will be recreated in no time. So *something*
has to be controlling it, yet when I look at the process tree,
the randomly named process appears to be the parent.
Probably a rootkit. Give a look to klister and patchfinder2, from www.rootkit.com ... Regards, -- Nicob <nicob () nicob net> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Looking for a tool, (continued)
- RE: Looking for a tool Harlan Carvey (Mar 04)
- RE: Looking for a tool Tiago Halm (Mar 01)
- Re: Looking for a tool Lan Guy (Mar 02)
- Re: Looking for a tool Gregh (Mar 02)
- Re: Looking for a tool Dave Howe (Mar 02)
- Re: Looking for a tool Gregh (Mar 02)
- Re: Looking for a tool Dave Howe (Mar 02)
- Re: Looking for a tool Gregh (Mar 02)
- RE: Looking for a tool Jeremiah Cornelius (Mar 02)
- Re: Looking for a tool Gregh (Mar 02)