Re: Hidden services/processes in Win2k server
From: David Wang [Msft] (someone@online.microsoft.com)
Date: 02/14/03
- Next message: BB: "Re: First Time Install MS Net 2003 Firewall"
- Previous message: David Wang [Msft]: "Re: Permissions for non-admin in a IIS-Spawned installation in Win2K"
- In reply to: Finn: "Hidden services/processes in Win2k server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "David Wang [Msft]" <someone@online.microsoft.com> Date: Fri, 14 Feb 2003 00:24:17 -0800
Reinstall the machine and lock it down. The current install has been
compromised. You have no idea what backdoors may be running on it, when it
is running, what process it is named, etc, and there are no tools that can
tell you "your system is clean" next to a format and re-install. Any tool
that claims to be able to "clean up a machine that has been compromised" is
snake-oil.
For example, I can rename my backdoor program to be "svchost.exe", which is
a legitimate process to be running on Windows Servers. I can further
disguise that program by putting it in System32 directory, renaming my DLLs
to be similar to system ones (or sound like system ones), and no tool will
ever safely detect this -- because if they are wrong, they just screwed your
system.
-- //David This posting is provided "AS IS" with no warranties, and confers no rights. // "Finn" <finnurt@telia.com> wrote in message news:7fa5cf1a.0302120527.3052e012@posting.google.com... Hi! We have recently had some problems with people running telnet server, ftp server (mainly for software/game distribution) on our web server. I have found around 50 files or so like winshell, vhost, ftp software etc, originating from them (almost all of them hidden in /winnt/system32 and its subdirectories). All the game/software traffic went to and from the System volume information folder, which was of course hidden and inaccessible even to the administrator, except if I connected through radmin/file transfer. (Tip for those who suddenly lost 35+ Gb of hard disk space and wonder where it went...) Anyway, I am about to clean up the mess, and I wonder if you know any software or commands to find out if there's additional (hidden) services/processes running, except those displayed in Computer management>Services and Task Manager>Processes. PS. We're also about to install SecureIIS, does anyone have any good or bad experiences with it? Thanks! Finn
- Next message: BB: "Re: First Time Install MS Net 2003 Firewall"
- Previous message: David Wang [Msft]: "Re: Permissions for non-admin in a IIS-Spawned installation in Win2K"
- In reply to: Finn: "Hidden services/processes in Win2k server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
