HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 22 guests and 2 members online
EH-Net Donations

Enter Amount:
$
Google Ads
EH-Net News Feeds
Latest Additions
Book Recommendations



 
Advertisement

You are here: Home arrow Forum arrow Featuresarrow Skillzarrow Examplesarrow Example 2: Winning Entry #2 - Arun Darlie Koshy
Ethical Hacker Community Forums
January 08, 2009, 10:28:09 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: ChicagoCon 2009 - May 4 - 9. Boot Camps & an Ethical Hacking Conf. www.chicagocon.com
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Example 2: Winning Entry #2 - Arun Darlie Koshy  (Read 2208 times)
0 Members and 1 Guest are viewing this topic.
don
Editor-In-Chief
Administrator
Hero Member
*****
Online Online

Posts: 2442


Editor-In-Chief


View Profile WWW
« on: April 13, 2006, 12:47:05 PM »
Answer 1)

*Most* Unusual is process smss.exe with PID 1384 with memory usage 1384 k, the normal smss.exe critical systems service takes around 344 K (and we see that its there).

Fishy, we've caught our rogue process ;-).

Answer 2)

We can use the free tool "TCPView" freely availble from Sysinternals.com to determine whether this process is listening on a TCP or UDP port.

http://www.sysinternals.com/ntw2k/source/tcpview.shtml

Answer 3)

Nigel could'nt kill this process as the backdoor uses an interesting vulnerability in the design of Windows 2k. The OS is not case sensitive when determining critical system processes :

- winlogon.exe
- csrss.exe
- smss.exe
- services.exe

Since the backdoor has the same name, the OS refuses to terminate it.

Reference
---------

http://www.securityfocus.com/bid/3033

Answer 4)

Nigel can either use the "kill" utility supplied with the Windows 2K Resource kit, or he can choose an even more advanced version from Sysinternals:

http://www.sysinternals.com/ntw2k/freeware/pstools.shtml (complete suite)

http://www.sysinternals.com/ntw2k/freeware/pskill.shtml


--- SIGNATURE ---

"The gull sees farthest who flies highest"

GPG/PGP key located at acksyn.infosecwriters.com
Logged
CISSP, MCSE, CEH, Security+ SME
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.7 | SMF © 2006-2007, Simple Machines LLC
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.056 seconds with 24 queries.
 
Sponsors

cwnp_moto__120x90.gif

Polls
How many security events including conferences and training do you attend a year:
 
Support EH-Net

Support EH-Net by
Buying all of your
Amazon items using
the search bar above.
cbtnuggets_logo_125.jpg
Try CBT Nuggets Free!
Recent Forum Topics
Vote For EH-Net

progenic.com
Click here to Vote!

binarica.com
Binarica Logo

Add to Technorati Favorites
technorati fave

 
         
Advertisement

© 2009 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.