Re: Compromised Win2000 machine.
From: H C (keydet89@yahoo.com)Date: 05/30/02
- Previous message: Patrick Andry: "Re: Compromised Win2000 machine."
- In reply to: Mark Newby: "Re: Compromised Win2000 machine."
- Next in thread: Daniel Hay: "Re: Compromised Win2000 machine. - Follow UP"
- Next in thread: ghb the irrepressible: "Re: Compromised Win2000 machine."
- Reply: Daniel Hay: "Re: Compromised Win2000 machine. - Follow UP"
- Reply: Joris De Donder: "Re[2]: Compromised Win2000 machine."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 29 May 2002 19:09:32 -0700 (PDT) From: H C <keydet89@yahoo.com> To: Mark Newby <mark@dranton.com>
Some additional thoughts on this particular issue...
> ...but I thought the advice for a (possibly)
> compromised box was *not*
> to run executable programs that resided on that
> host, as they can't be trusted?
While I definitely recommend burning your tools...even
the ones shipped w/ NT/2K, including cmd.exe...to a
CD, to be quite honest, has anyone ever actually seen
a system w/ a trojaned netstat? Now, I know many
folks are going to pump their arms into the air...so
let me clarify...this is a 2K box. Has anyone ever
seen a trojaned cmd.exe or netstat.exe? Has anyone
seen netstat.exe on an NT or 2K system "trojaned" so
as to NOT show certain connects...but otherwise, it
works fine?
Remember...the Linux/*nix architectures are different
from that of NT/2K...and XP. I'm not saying that this
can't be done...I'm simply asking if anyone can show,
with proof, that this *has* been done? And it doesn't
have to be just netstat.exe...it can be any other
native tool. And binding the .exe file using
SaranWrap or EliteWrap doesn't count, as the basic
functionality still exists and all network connects
(netstat) will still be shown...
__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Patrick Andry: "Re: Compromised Win2000 machine."
- In reply to: Mark Newby: "Re: Compromised Win2000 machine."
- Next in thread: Daniel Hay: "Re: Compromised Win2000 machine. - Follow UP"
- Next in thread: ghb the irrepressible: "Re: Compromised Win2000 machine."
- Reply: Daniel Hay: "Re: Compromised Win2000 machine. - Follow UP"
- Reply: Joris De Donder: "Re[2]: Compromised Win2000 machine."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
