Re: Anyone seen this before?

From: H C (keydet89@yahoo.com)
Date: 07/03/02


Date: Tue, 2 Jul 2002 16:28:37 -0700 (PDT)
From: H C <keydet89@yahoo.com>
To: "Michael  B. Morell" <MMorell@vdat.com>, incidents@securityfocus.com


> In task mgr, The application 'address' (w/o quotes)
> is running and is linked
> to the explorer.exe proc.

What do you mean by "linked"? What does this mean,
and what did you do (or what tool did you use) to
verify or discover this?

> <!--begin the obvious-->
> I verified that the explorer.exe was the correct
> size. There was only 1
> running with a normal thread count.

Okay...but what do you consider 'normal'?
 
> I checked hklm...\currentversion\run(run
> once,services) and nothing was in
> it. Stat up, same, nothing.

What? What does "stat up, same, nothing" refer to?

> I ran fport and fscan and nothing out of the
> ordinary popped up; netstat -a
> also
> did not show anything out of the ordinary. I also
> ran several other
> scanners against the
> machine and no known vulns that were unexpected
> popped up.

Okay...but if the process is on the machine, why are
you running scanners against it?
 
> IIS, Index service, etc are not running. All
> mappings removed, services
> disabled. Sp2, all app
> hotfixes installed. Pretty secure machine when run
> against normal audits.
> It is facing the public
> so the standard extra precautions have been taken.
> <!--end the obvious-->

All of that may have been obvious to you, but please
understand...most of us have no idea what you consider
to be "standard extra precautions". Hotfixes are all
good and fine...but did you unbind NetBIOS from the
Interface, leaving only TCP/IP?
 
> If anyone has seen this before please let me know.
> A search on google did not provide
> any solid leads. I did follow thru on checking for
> known code
> red/nimda/things that were
> close but not really leads.
>
> I appreciate any insight from the list.
>
> Oh, and please don't bother to tell me to blow away
> the OS and start from
> scratch.
> While I appreciate the suggestion, i'm looking for
> leads, not the obvious.

Well, first off, "blowing away the os" is hardly what
I would call an "obvious" answer. More like that
answer slung about by those who aren't knowledgeable.

Here's what I would suggest...go to SysInternals.com
and get a copy of handle.exe, listdlls.exe, and
pslist.exe (from the PSToolkit). These are all CLI
tools, so you may want to redirect their output to a
file...

Run the tools. Pslist will give you some specifics
about this "address" process...PID, times, etc. From
handle.exe, you should be able to get the user context
that the process is running under, plus the handles
(files, semaphors, etc) the process has open.
ListDlls will show you not only the DLLs the process
depends on, but also the command line used to launch
the process.

Also, the CreateProcess() API call requires the full
path to the executable as it's first argument, so you
should be able to find a copy of "address.exe"
someplace on your system.

Happy hunting. Let me know if you need any help.

__________________________________________________
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages