Thanks Matt for the great challenge. I really appreciate you taking the time to put it together (I'm a big Firefly/Serenity fan).
Don - thanks for hosting and good luck with ChicagoCon.
-Andy
---------------------------------------------------------------------------------
"No power in the 'verse can stop me!" exclaims Kaylee as she begins typing on the keyboard.
E:\sysinternals>tcpvcon.exe -a -n
TCPView v2.34 - TCP/UDP endpoint lister
Copyright (C) 1998-2003 Mark Russinovich Sysinternals -
www.sysinternals.com[TCP] C:\niskabot.exe
PID: 404
State: ESTABLISHED
Local: 172.16.30.129:1080
Remote: 172.16.30.1:6667
Rubbing grease on the monitor, Kaylee says "There's that little bugger. All nicely labeled niskabot and running on port 6667 for me, Shiny!" She continues to type.
E:\sysinternals>procexp.exe
Watching Process Explorer in the background, she keeps typing.
E:\sysinternals>pskill niskabot.exe
PsKill v1.12 - Terminates processes on local or remote systems Copyright (C) 1999-2005 Mark Russinovich Sysinternals -
www.sysinternals.comProcess niskabot.exe killed.
"Now, that there should do it...Huh!??!" Kaylee gasps as she sees a new process pop up in the Process Explorer window.
Stepping out from the shadows, her bare feet barely make a sound.
River grabs the keyboard. "It's broken. Contradictions, false logistics - doesn't make sense."
C:\>netstat -nao
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 924
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:1035 0.0.0.0:0 LISTENING 1164
TCP 172.16.30.129:139 0.0.0.0:0 LISTENING 4
TCP 172.16.30.129:1081 172.16.30.1:6667 ESTABLISHED 1111
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:500 *:* 704
UDP 127.0.0.1:123 *:* 1020
UDP 172.16.30.129:123 *:* 1020
UDP 172.16.30.129:137 *:* 4
UDP 172.16.30.129:138 *:* 4
"River, no no. What are you doing?" shouts Kaylee.
"Sysinternals is not a natural part of Windows. It doesn't belong, you can't use it." continues River as she types on the keyboard.
C:\>wmic process list brief
HandleCount Name Priority ProcessId ThreadCount
WorkingSetSize
0 System Idle Process 0 0 1 28672
427 System 8 4 50 258048
21 smss.exe 11 560 3 409600
455 csrss.exe 13 624 12 2596864
524 winlogon.exe 13 648 18 4128768
277 services.exe 9 692 15 3346432
344 lsass.exe 9 704 18 1458176
213 svchost.exe 8 856 16 5099520
284 svchost.exe 8 924 10 4247552
1319 svchost.exe 8 1020 60 22945792
191 ccSetMgr.exe 8 1236 6 4018176
294 ccEvtMgr.exe 8 1264 16 2998272
56 VMwareService.exe 13 388 3 3022848
104 alg.exe 8 1164 5 3579904
36 wscntfy.exe 8 1708 1 2330624
435 explorer.exe 8 1720 13 7733248
32 VMwareTray.exe 8 516 1 3096576
79 VMwareUser.exe 8 1780 3 4730880
242 ccApp.exe 8 1788 8 8585216
99 ctfmon.exe 8 1812 1 3551232
32 cmd.exe 8 3164 1 2813952
239 procexp.exe 13 3804 4 16363520
28 niskabot.exe 8 1111 1 1888256
139 wmic.exe 8 2200 3 5853184
141 wmiprvse.exe 8 2256 6 5722112
"River, Sysinternals was bought by Microsoft like a million centuries ago." says Kaylee.
"So, we'll integrate non-progressional evolution theory with Microsoft's acquisition of Sysinternals. Niskabot is running with the process id of two elevens. Eleven. Important number. Prime number.
One goes into the house of eleven eleven times, but always comes out one. This recovery after failure is a problem." River continues to type.
C:\>sc delete niskabot
C:\>regedit
Navigating to the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
keys, River deletes Microsoft Update=niskabot.exe.
C:\>wmic process 1111 delete
"River, you can't go use'n the system tools on a compromised system.
What if them system tools were modified?" says Kaylee as she tries to tug the keyboard out of River's hands.
Mal interrupts the keyboard tug-of-war "Are we going to get my boat fixed to-DAY!?"
"Day is a vestigial mode of time measurement based on solar cycles.
It's not applicable..." states River as she lets go of the keyboard.
"Come on Mal. Let me introduce her to Vera." Jayne begs staring at River.
River glances up at Jayne, "I can kill you with my brain."
Simon grabs River's arm and starts walking her off the bridge as River mumbles, "Liou coe shway duh biao-tze huh hoe-tze duh bun ur-tze."
Mal ignores them, "You tell me right now, little Kaylee, you really think you can fix this?"
"Sure. Yeah. I think so. 'Sides, if I mess up, not like you'll be able to yell at me." says Kaylee with a smile. "You see Capt'n, if I just move the source over to one of my Linux boxes, and grep for 'RegisterCommand'...there, now let's see what we can be doin' with this list of commands. Oh uh, a password." but Mal has turned his attention back to Wash.
Kaylee continues anyways, "See this assembl'r code, Zoey. Well, it appears they're try'n to obfuscate the password." Kaylee puts the password in order and MalloryWasHot! shows up on the grease covered screen.
"Hey ya'll look." shouts Kaylee. "Someone must've see Mal in the wagon on Triumph all fancy'd up in that purty floral bonnet and dress."
Confused Jayne looks over Kaylee's shoulder at the monitor. "Oh crap, Justine Bateman is attacking us!" he screams as he is jumps back from the screen.
"Jayne, it is common knowledge that Lucy Mallory was one of the passengers on Stagecoach." inserts Book. "As a 1939 Western Classic, Stagecoach..."
Zoey interrupts "Alice and Bob are always defend'n themselves against attacks from Eve and Mallory. This must be some of their code."
Everyone looks over to Mal.
...
Mal: "Uh.. ok. Great then. Wash! How are we doin'?"
Posted by Don.
RichM : red bottom shoes cheap 潮流必备 Sneakers个性Ā...
