Home page logo
/

basics logo Security Basics mailing list archives

Re: Hacked again???
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Mon, 27 Jun 2005 11:30:32 +0200

On 2005-06-21 Christoph 'knurd' Jeschke wrote:
Valentin Höbel schrieb:
so for the appearance of the process, he has to start the messenger
one time.

And the integrity of the msnmsgr.exe is important, too. Malware can
easily replace a existing msnmsgr.exe or simply create a new one at
another place (like Rbot did - especially if a user is over-
privileged.

To be sure, the OP should take sysinternals Process Explorer.

If he was using an overly privileged account that may not suffice, since
a rootkit may manipulate what Process Explorer gets to see. I would
recommend using RootkitRevealer in addition to Process Explorer. Even
better would be to boot some other system (Knoppix, BartPE, ... you name
it), get the checksum of the binaries in question and compare them to
the checksums on a known-good system.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]