Answer 1)*Most* Unusual is process smss.exe with PID 1384 with memory usage 1384 k, the normal smss.exe critical systems service takes around 344 K (and we see that its there).
Fishy, we've caught our rogue process ;-).
Answer 2)We can use the free tool "TCPView" freely availble from Sysinternals.com to determine whether this process is listening on a TCP or UDP port.
http://www.sysinternals.com/ntw2k/source/tcpview.shtmlAnswer 3)Nigel could'nt kill this process as the backdoor uses an interesting vulnerability in the design of Windows 2k. The OS is not case sensitive when determining critical system processes :
- winlogon.exe
- csrss.exe
- smss.exe
- services.exe
Since the backdoor has the same name, the OS refuses to terminate it.
Reference
---------
http://www.securityfocus.com/bid/3033Answer 4)Nigel can either use the "kill" utility supplied with the Windows 2K Resource kit, or he can choose an even more advanced version from Sysinternals:
http://www.sysinternals.com/ntw2k/freeware/pstools.shtml (complete suite)
http://www.sysinternals.com/ntw2k/freeware/pskill.shtml--- SIGNATURE ---
"The gull sees farthest who flies highest"
GPG/PGP key located at acksyn.infosecwriters.com
Network Pen Testing : Tomcat authentication with sqlmap
