|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: [Full-Disclosure] Looking for a tool
From: Nicob (nicob
nicob.net)
Date: Tue Mar 02 2004 - 06:43:48 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Tue, 2004-03-02 at 00:36, Schmehl, Paul L wrote:
> Well, I usually use *sysinternals* Process Exporer, and have
> yet to see it fail to list a process... how do you know the
> process exists, if you can't list it?
>
> Real simple. I have randomly named processes (like
> gk5odre.exe) popping up, and when I kill them, another one
> takes their place. *Something* has to be the parent than
> controls this. I can delete an entire registry key and watch
> it be recreated in less than a second. I can delete a
> directory with three dlls in it and watch it be recreated
> right before my eyes. I can kill the randomly named process
> and watch it reappear using the same name or a completely
> different name. I can delete the executable after killing the
> process, and it will be recreated in no time. So *something*
> has to be controlling it, yet when I look at the process tree,
> the randomly named process appears to be the parent.
Probably a rootkit.
Give a look to klister and patchfinder2, from www.rootkit.com ...
Regards,
--
Nicob <nicobnicob.net>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]