Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Lincoln Yeoh (lyeohpop.jaring.my)
Date: Mon Nov 05 2001 - 20:06:07 CST
At 12:06 AM 05-11-2000 -0800, Robert Freeman wrote:
>A reboot is helpful unless the NT box is not password protected or has an
>agent to automatically enter the password upon startup. Until an admin shows
>up the box is basically useless.
AFAIK the services still start after a reboot. So the trojaned box still
scans the whole internet.
>Secondly, the ExitWindowsEx function in user32.dll can: 1) log off a user;
>2) shutdown (and power down on ACPI motherboards); 3) reboot. This function
>is utilized by shutdown.exe which can be called via WinExec or in the
>following mannor: "cmd /C shutdown."
>WinExec is accessable via the native api / INT 2E gate in the event the call
>is being debugged/hooked. Actually try NtDll.NtShutdownSystem if you decide
>to write code to use the native api (I can go into more depth on how to do
>this if you want).
I did try that. The log off works, but the shutdown doesn't. Unless I
really have to I don't want to have to upload code (to call that priv
routine and then call the shutdown) to the target and get it to run it.
So is it impossible to remotely shutdown (properly) a default install NT
machine (no reskit stuff, just infected with codered/nimda)?
I guess I'll try the cmd /c echo tab backspace thingy when I have time. Not
a proper shutdown tho. But at this moment it looks like default NT
installations don't make remote shutdowns easy (just remote crash/root doh!