Bugtraq mailing list archives
Re: Possible DoS attack to NT boxes running OpenNT 2.1
From: dleblanc () MINDSPRING COM (David LeBlanc)
Date: Sat, 15 Aug 1998 15:24:34 -0400
At 06:35 PM 8/15/98 +0200, n3m0 wrote:
I'm sorry but I can't agree with this. I am the system administrator and I have tested it thoroughly before I send my first post and I have tested again before sending this new one. I have tried the experiment from accounts with different access rights, even administrative ones, and NO ONE on the system (Administrators included) could kill the process. They seem to be "protected" system tasks. They may inherit this property from its parent POSIX processes.
I couldn't find any file called TKILL.EXE, so I tryed to kill them trough the Task Manager and the kill command, but none of them were able to free the resources.
I'm not familiar with tkill, but there are more than one kill apps running around. Not to be a smartass, but you did give the kill a -9? The deal here is that you need to be able to open the process. If you don't have explicit rights to open the process, you need to have debug rights so that you can open someone else's process. If you enable debug in your process, _then_ try to open the process, it will open, and you can then terminate it. Some versions of kill do this, some don't. Another trick I saw (in NT mag, I think) was to use the scheduler to start an instance of the task manager running under the context of LocalSystem. That will nuke just about anything, and can be done from any NT box where you are logged in as admin. If you go nuking certain system processes, you'll BSOD, so don't get too adventurous. Something else that would be of help would be an app called exetype, which is in the Resource Kit. I don't know which calls it makes to find this out, but it can tell the difference between a character mode app and a GUI app. The OpenNT telnet daemon could make the same calls to check whether the app was something that should be run, and you could make a perl script to tell you which apps were command line so that you could ACL things easily by using a group as you suggested - create a "telnet users" group, and deny them access to GUI apps. David LeBlanc dleblanc () mindspring com
Current thread:
- Possible DoS attack to NT boxes running OpenNT 2.1 Nemo (Aug 03)
- <Possible follow-ups>
- Re: Possible DoS attack to NT boxes running OpenNT 2.1 Jason Zions (Aug 04)
- Re: Possible DoS attack to NT boxes running OpenNT 2.1 n3m0 (Aug 15)
- Explorer & ActiveX Adam Shostack (Aug 14)
- Re: Possible DoS attack to NT boxes running OpenNT 2.1 David LeBlanc (Aug 15)
- Re: Possible DoS attack to NT boxes running OpenNT 2.1 n3m0 (Aug 15)
- Re: Possible DoS attack to NT boxes running OpenNT 2.1 Robert Fesig (Aug 16)