mailing list archives
Re: Hacked again???
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Mon, 27 Jun 2005 11:30:32 +0200
On 2005-06-21 Christoph 'knurd' Jeschke wrote:
Valentin Höbel schrieb:
so for the appearance of the process, he has to start the messenger
And the integrity of the msnmsgr.exe is important, too. Malware can
easily replace a existing msnmsgr.exe or simply create a new one at
another place (like Rbot did - especially if a user is over-
To be sure, the OP should take sysinternals Process Explorer.
If he was using an overly privileged account that may not suffice, since
a rootkit may manipulate what Process Explorer gets to see. I would
recommend using RootkitRevealer in addition to Process Explorer. Even
better would be to boot some other system (Knoppix, BartPE, ... you name
it), get the checksum of the binaries in question and compare them to
the checksums on a known-good system.
"All vulnerabilities deserve a public fear period prior to patches
--Jason Coombs on Bugtraq
Re: Hacked again??? Christoph 'knurd' Jeschke (Jun 17)