Security Incidents mailing list archives
RE: Compromised Win2000 machine.
From: H C <keydet89 () yahoo com>
Date: Wed, 29 May 2002 10:11:17 -0700 (PDT)
Don,
look under services, find all remote procedure calls, look at the properties of each one, specifically notating the actual path to the called program, liekly you'll find one of those do not go to the winnt directory, stop that service. You may want to go thru all of your services that are active, and look at the program name and location of the program to make sure you recognize all of them, the ones you dont, take a little further look into.
It's not clear why checking the services is the way to go on this...IMHO, I'd check the processes instead. Running tools like fport, netstat, handle, listdlls, and pslist will get a fairly complete snapshot of what's going on on the system, and then using a tool like procdmp.pl (http://patriot.net/~carvdawg/perl.html) to consolidate that info for easy viewing might be a better way to go. Danny took the typical action seen of most admins...port scanning the system from the outside, and comparing the open ports to lists of known trojans and services. This is inconclusive at best, and leads to a lot of speculation and time-wasting. Better to run fport on the system (if NT/2K...if the system is XP, run netstat w/ the '-o' switch) instead, to see the process to port mapping. __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Compromised Win2000 machine. Daniel Hay (May 28)
- Re: Compromised Win2000 machine. H C (May 28)
- RE: Compromised Win2000 machine. Kit (May 28)
- RE: Compromised Win2000 machine. Don Weber (May 29)
- RE: Compromised Win2000 machine. H C (May 29)
- Re: Compromised Win2000 machine. Daniel Hay (May 29)
- Re: Compromised Win2000 machine. Mark Newby (May 29)
- Re: Compromised Win2000 machine. H C (May 29)
- Re: Compromised Win2000 machine. Patrick Andry (May 29)
- Re: Compromised Win2000 machine. H C (May 30)
- Re: Compromised Win2000 machine. - Follow UP Daniel Hay (May 30)
- Re[2]: Compromised Win2000 machine. Joris De Donder (May 31)
- Re: Re[2]: Compromised Win2000 machine. H C (May 31)
- RE: Compromised Win2000 machine. Don Weber (May 29)
- <Possible follow-ups>
- Re: Compromised Win2000 machine. ghb the irrepressible (May 29)