Security Incidents mailing list archives
Re: Anyone seen this before?
From: H C <keydet89 () yahoo com>
Date: Tue, 2 Jul 2002 16:28:37 -0700 (PDT)
In task mgr, The application 'address' (w/o quotes) is running and is linked to the explorer.exe proc.
What do you mean by "linked"? What does this mean, and what did you do (or what tool did you use) to verify or discover this?
<!--begin the obvious--> I verified that the explorer.exe was the correct size. There was only 1 running with a normal thread count.
Okay...but what do you consider 'normal'?
I checked hklm...\currentversion\run(run once,services) and nothing was in it. Stat up, same, nothing.
What? What does "stat up, same, nothing" refer to?
I ran fport and fscan and nothing out of the ordinary popped up; netstat -a also did not show anything out of the ordinary. I also ran several other scanners against the machine and no known vulns that were unexpected popped up.
Okay...but if the process is on the machine, why are you running scanners against it?
IIS, Index service, etc are not running. All mappings removed, services disabled. Sp2, all app hotfixes installed. Pretty secure machine when run against normal audits. It is facing the public so the standard extra precautions have been taken. <!--end the obvious-->
All of that may have been obvious to you, but please understand...most of us have no idea what you consider to be "standard extra precautions". Hotfixes are all good and fine...but did you unbind NetBIOS from the Interface, leaving only TCP/IP?
If anyone has seen this before please let me know. A search on google did not provide any solid leads. I did follow thru on checking for known code red/nimda/things that were close but not really leads. I appreciate any insight from the list. Oh, and please don't bother to tell me to blow away the OS and start from scratch. While I appreciate the suggestion, i'm looking for leads, not the obvious.
Well, first off, "blowing away the os" is hardly what I would call an "obvious" answer. More like that answer slung about by those who aren't knowledgeable. Here's what I would suggest...go to SysInternals.com and get a copy of handle.exe, listdlls.exe, and pslist.exe (from the PSToolkit). These are all CLI tools, so you may want to redirect their output to a file... Run the tools. Pslist will give you some specifics about this "address" process...PID, times, etc. From handle.exe, you should be able to get the user context that the process is running under, plus the handles (files, semaphors, etc) the process has open. ListDlls will show you not only the DLLs the process depends on, but also the command line used to launch the process. Also, the CreateProcess() API call requires the full path to the executable as it's first argument, so you should be able to find a copy of "address.exe" someplace on your system. Happy hunting. Let me know if you need any help. __________________________________________________ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Anyone seen this before? Michael B. Morell (Jul 02)
- Re: Anyone seen this before? H C (Jul 02)
- <Possible follow-ups>
- RE: Anyone seen this before? Michael B. Morell (Jul 03)
- Re: Anyone seen this before? Sergey Latkin (Jul 03)
- RE: Anyone seen this before? george . wasgatt (Jul 03)