OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Patrick S. Harper (patrickinternetsecurityguru.com)
Date: Thu Sep 20 2001 - 15:18:53 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    It should give you a warning that they were removed. If you hit cancel
    on the replace they are not replaced until you next hotfix or service
    pack

    The other choice would be to acl the files directly. That wouldn't be
    that hard to script out

    Peace, commerce, and honest friendship with all nations -- entangling
    alliances with none.
    --Thomas Jefferson (1743-1826)

    From every mountainside let freedom ring.
    --Samuel Francis Smith, from the anthem "America", 1831

    -----Original Message-----
    From: Christopher Scragg [mailto:cscraggworkgroup.net]
    Sent: Thursday, September 20, 2001 1:13 PM
    To: Douglas Spooner; focus-mssecurityfocus.com
    Subject: RE: Move those files! cmd.exe tftp.exe etc ...

    ... Which would be nice if everyone were running Windows NT, but as most
    Win2k users are aware, Windows replaces the removed files. Microsoft
    found it important make system files resilient - go figure.

     
    Christopher Scragg
    Chief Technology Officer
    Business Information Group

     
     

    :-----Original Message-----
    :From: Douglas Spooner [mailto:webmastertechnicweb.com]
    :Sent: Thursday, September 20, 2001 12:01 PM
    :To: 'focus-mssecurityfocus.com'
    :Subject: Move those files! cmd.exe tftp.exe etc ...
    :
    :
    :I've found thats its usally best to move all these files out
    :of the /system32 dir and place them in a dir with secure
    :permissions, that way if the request does get through the
    :file(s) its looking for wont be there :)
    :
    : xcopy.exe, wscript.exe, cscript.exe, net.exe, ftp.exe, telnet.exe,
    : arp.exe, edlin.exe, ping.exe, route.exe, at.exe, finger.exe,
    : posix.exe, rsh.exe atsvc.exe qbasic.exe syskey.exe
    : cacls.exe ipconfig.exe, rcp.exe, secfixup.exe, nbtstat.exe,
    : rdisk.exe, debug.exe, regedt32.exe, regedit.exe, edit.com,
    : netstat.exe, tracert.exe, nslookup.exe, rexec.exe, cmd.exe,
    : nslookup.exe, tftp.exe
    :
    :The above tools I think would probably be what most
    :worms/script kiddies would be looking for if your system got
    :comprimised.
    :
    :Regards
    :
    :Douglas Spooner
    :Sys Admin / Web Developer
    :Technicweb.com
    :
    :"I say we take off and nuke the entire site from orbit"
    :
    :Kosch Of Saryrn
    :