[unisog] Hidden Ftp erver

Tom Maglio tom.maglio at bbkhealthcare.com
Wed Jun 23 18:45:54 GMT 2004


  You might want to try klister which should list all processes even
those hidden ones:


> -----Original Message-----
> From: unisog-bounces at lists.sans.org 
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of Reg Quinton
> Sent: Wednesday, June 23, 2004 11:20 AM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] Hidden Ftp erver
> From: "Wells, Cary" <cary.wells at ualberta.ca>
> > it got there but that's not the problem.  The problem is I 
> can't find the
> > executable that is running it.
> We have seen compromises running at the system level and 
> protected from the
> administrator finding them (the "System" has more privileges than the
> "Administrator"). Our windows gurus (I'm not one of them) 
> tell me that to
> get a job running with "system" privileges you should try this:
> <-------------
> If you cannot access the files, the hacker may have protected them by
> placing them in a directory that is accessible by the 
> account only. To access these files, schedule a command shell 
> to run. As
> long as the Task Scheduler service ("schedule" under NT) is 
> running under
> the SYSTEM account (default installation), the resulting cmd 
> window will be
> running under the SYSTEM account. I use the soon command (W2k 
> Pro Resource
> Kit) to schedule the task:
>  "soon 60 /interactive %comspec% /k"
>   (If you are not logged on using an administrator account, 
> you will need
> to use this command with runas (e.g. runas 
> /user:domain\account "soon 60
> /interactive %comspec% /k")
> Within a minute (60 seconds) you a command window will be launched by
> svchost.exe and running under NT_AUTHORITY/SYSTEM (verify by 
> typing whoami,
> if resource kit installed). If you type "explorer" (no 
> quotes), you will
> get a Windows Explorer window running under the SYSTEM 
> account and you can
> explore the OS as SYSTEM. At this point, you can also assign less
> restrictive permissions to open up SYSTEM-only folders if you want.
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

More information about the unisog mailing list