[unisog] Hidden Ftp erver

Reg Quinton reggers at ist.uwaterloo.ca
Wed Jun 23 15:19:34 GMT 2004

From: "Wells, Cary" <cary.wells at ualberta.ca>
> it got there but that's not the problem.  The problem is I can't find the
> executable that is running it.

We have seen compromises running at the system level and protected from the
administrator finding them (the "System" has more privileges than the
"Administrator"). Our windows gurus (I'm not one of them) tell me that to
get a job running with "system" privileges you should try this:

If you cannot access the files, the hacker may have protected them by
placing them in a directory that is accessible by the NT_AUTHORITY/SYSTEM
account only. To access these files, schedule a command shell to run. As
long as the Task Scheduler service ("schedule" under NT) is running under
the SYSTEM account (default installation), the resulting cmd window will be
running under the SYSTEM account. I use the soon command (W2k Pro Resource
Kit) to schedule the task:

 "soon 60 /interactive %comspec% /k"

  (If you are not logged on using an administrator account, you will need
to use this command with runas (e.g. runas /user:domain\account "soon 60
/interactive %comspec% /k")

Within a minute (60 seconds) you a command window will be launched by
svchost.exe and running under NT_AUTHORITY/SYSTEM (verify by typing whoami,
if resource kit installed). If you type "explorer" (no quotes), you will
get a Windows Explorer window running under the SYSTEM account and you can
explore the OS as SYSTEM. At this point, you can also assign less
restrictive permissions to open up SYSTEM-only folders if you want.

More information about the unisog mailing list