Re[2]: Compromised Win2000 machine.
From: Joris De Donder (l0t@securax.org)Date: 05/31/02
- Previous message: H C: "Re: Re[2]: Compromised Win2000 machine."
- In reply to: H C: "Re: Compromised Win2000 machine."
- Next in thread: H C: "Re: Re[2]: Compromised Win2000 machine."
- Reply: H C: "Re: Re[2]: Compromised Win2000 machine."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 31 May 2002 15:55:17 +0200 From: Joris De Donder <l0t@securax.org> To: H C <keydet89@yahoo.com>
HC> Remember...the Linux/*nix architectures are different
HC> from that of NT/2K...and XP. I'm not saying that this
HC> can't be done...I'm simply asking if anyone can show,
HC> with proof, that this *has* been done? And it doesn't
HC> have to be just netstat.exe...it can be any other
HC> native tool. And binding the .exe file using
HC> SaranWrap or EliteWrap doesn't count, as the basic
HC> functionality still exists and all network connects
HC> (netstat) will still be shown...
* Fake netstat.exe (4/23/02):
http://kcom.org/tfiles/pafiledb.php?action=category&id=9
* Another fake netstat.exe (Apr 24 17:18:22 2001):
http://packetstormsecurity.org/UNIX/penetration/rootkits/Netstat.zip
* "A Rootkit for netstat under win2k, By ThreaT":
http://www.madchat.org/coding/nethide.txt
* Netstatp with source code:
http://packetstormsecurity.org/NT/IDS/netstatp.zip
[Could be used to build a netstat.exe clone]
* ReactOS:
http://www.reactos.com/
"ReactOS is an Open Source effort to develop a quality
operating system that is compatible with Windows NT
applications and drivers."
[Source code could be used to build a trojan cmd.exe,...]
* NTRootkit:
http://www.rootkit.com (seems to be down)
http://www.phrack.com/show.php?p=55&a=5
http://www.megasecurity.org/Tools/Nt_rootkit_all.html
"The NTRootKit project provides a framework for trojaning
the NT kernel and applications, in much the same manner as
rootkits for Linux and the various flavors of Unix."
"New features:
Embedded TCP/IP stack (stateless)
[...snip...]
NOTE: THIS MEANS THAT ROOTKIT DOES NOT SHOW UP IN NETSTAT
Ideed, why would it? It's not using the NT stack."
Regards,
Joris De Donder
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: H C: "Re: Re[2]: Compromised Win2000 machine."
- In reply to: H C: "Re: Compromised Win2000 machine."
- Next in thread: H C: "Re: Re[2]: Compromised Win2000 machine."
- Reply: H C: "Re: Re[2]: Compromised Win2000 machine."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
