Full Disclosure mailing list archives
RE: Looking for a tool
From: Nicob <nicob () nicob net>
Date: Tue, 02 Mar 2004 13:43:48 +0100
On Tue, 2004-03-02 at 00:36, Schmehl, Paul L wrote:
Well, I usually use *sysinternals* Process Exporer, and have yet to see it fail to list a process... how do you know the process exists, if you can't list it? Real simple. I have randomly named processes (like gk5odre.exe) popping up, and when I kill them, another one takes their place. *Something* has to be the parent than controls this. I can delete an entire registry key and watch it be recreated in less than a second. I can delete a directory with three dlls in it and watch it be recreated right before my eyes. I can kill the randomly named process and watch it reappear using the same name or a completely different name. I can delete the executable after killing the process, and it will be recreated in no time. So *something* has to be controlling it, yet when I look at the process tree, the randomly named process appears to be the parent.
Probably a rootkit. Give a look to klister and patchfinder2, from www.rootkit.com ... Regards, -- Nicob <nicob () nicob net> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Looking for a tool, (continued)
- RE: Looking for a tool Harlan Carvey (Mar 04)
- RE: Looking for a tool Tiago Halm (Mar 01)
- Re: Looking for a tool Lan Guy (Mar 02)
- Re: Looking for a tool Gregh (Mar 02)
- Re: Looking for a tool Dave Howe (Mar 02)
- Re: Looking for a tool Gregh (Mar 02)
- Re: Looking for a tool Dave Howe (Mar 02)
- Re: Looking for a tool Gregh (Mar 02)
- RE: Looking for a tool Jeremiah Cornelius (Mar 02)
- Re: Looking for a tool Gregh (Mar 02)