Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: Looking for a tool
From: Nicob <nicob () nicob net>
Date: Tue, 02 Mar 2004 13:43:48 +0100

On Tue, 2004-03-02 at 00:36, Schmehl, Paul L wrote:

        Well, I usually use *sysinternals* Process Exporer, and have
        yet to see it fail to list a process...  how do you know the
        process exists, if you can't list it?
        Real simple.  I have randomly named processes (like
        gk5odre.exe) popping up, and when I kill them, another one
        takes their place.  *Something* has to be the parent than
        controls this.  I can delete an entire registry key and watch
        it be recreated in less than a second.  I can delete a
        directory with three dlls in it and watch it be recreated
        right before my eyes.  I can kill the randomly named process
        and watch it reappear using the same name or a completely
        different name.  I can delete the executable after killing the
        process, and it will be recreated in no time.  So *something*
        has to be controlling it, yet when I look at the process tree,
        the randomly named process appears to be the parent.

Probably a rootkit.

Give a look to klister and patchfinder2, from www.rootkit.com ...

Nicob <nicob () nicob net>

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]