Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Compromised Win2000 machine.

From: H C <keydet89 () yahoo com>
Date: Wed, 29 May 2002 19:09:32 -0700 (PDT)
Some additional thoughts on this particular issue...


...but I thought the advice for a (possibly)
compromised box was *not* 
to run executable programs that resided on that
host, as they can't be trusted?


While I definitely recommend burning your tools...even
the ones shipped w/ NT/2K, including cmd.exe...to a
CD, to be quite honest, has anyone ever actually seen
a system w/ a trojaned netstat?  Now, I know many
folks are going to pump their arms into the air...so
let me clarify...this is a 2K box.  Has anyone ever
seen a trojaned cmd.exe or netstat.exe?  Has anyone
seen netstat.exe on an NT or 2K system "trojaned" so
as to NOT show certain connects...but otherwise, it
works fine?

Remember...the Linux/*nix architectures are different
from that of NT/2K...and XP.  I'm not saying that this
can't be done...I'm simply asking if anyone can show,
with proof, that this *has* been done?  And it doesn't
have to be just netstat.exe...it can be any other
native tool.  And binding the .exe file using
SaranWrap or EliteWrap doesn't count, as the basic
functionality still exists and all network connects
(netstat) will still be shown...



__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: