lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: pauls at utdallas.edu (Schmehl, Paul L) Subject: Security Alert??? Sounds like your computer might have been tagged. Taggers look for machines that they can install FTP servers on so that they can share their warez; games, movies, dvds, etc. They usually use ServUFTP and rename it svchost.exe, because that's a common Windows service that will usually have several instances running. (So, when you look at running processes, you won't think it's unusual to several several instances of svchost.exe.) Look for the following things: 1) kill.exe, pskill.exe, pslist.exe, servudaemon.ini,firedaemon.exe,nc.exe 2) Unusual folders in the Recycler directory - if you are using a default copy of Windows, you won't even see that directory in Explorer. You have to go to Tools/Folder Options/View (in the Explorer menu), and make sure you have "Show hidden files and folders" selected, "Hide extension for known file types" UNselected and "Hide protected operating system files (Recommended)" UNselected. Then go to the RECYCLER folder on each drive (C:\RECYCLER, D:\RECYCLER) and look for yellow folders (instead of the default Recycle Bin folders.) If you see any yellow folders, open them up. You'll probably find lots of "stuff" in there, which means you have definitely been tagged. 3) A service running that you've never seen before - go to Administrative Tools/Services and look at the services. One of them will be unusual - if you're lucky, they won't have renamed it to make it look "normal". If you look at the properties, you'll find that the actually executable is "svchost.exe". 4) Search for "svchost.exe" on your hard drive. If you find one that's 486KB in size, that's a renamed copy of ServUFTP. The MS version is 7 - 13KB, depending upon the version you have. IF you find that you have been tagged, you need to figure out how they hacked your computer. Do you have IIS running? SQL Server? Do you have File Sharing turned on and shared with the Internet with no firewall? Did you get a trojan installed on your box? If you don't close the hole that allowed them in, you'll just get tagged again. You need to stay up to date on patches - that means visit windowsupdate.microsoft.com WEEKLY. Make it part of your routine. If you have Office installed, you need to visit office.microsoft.com WEEKLY. Keep your antivirus up to date WEEKLY. HTH. Paul Schmehl (pauls@...allas.edu) TCS Department Coordinator The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ > -----Original Message----- > From: Bob Crockett [mailto:bcrocket@...as.net] > Sent: Friday, December 06, 2002 1:38 AM > To: full-disclosure@...ts.netsys.com > Subject: [Full-Disclosure] Security Alert??? > > > Ok, folks, maybe I just stumbled into a list I don't > belong in, but kindly indulge me a moment. Earlier > today, Norton Firewall lit up, telling me that > > C:\winnt\system32\svchost.exe > was attempting to access the intenet. As I had not > seen this warning before, I elected to block the > communication. Then I started some web research. > After not finding any answer on the Symantec site, I > found my way here. So I thought I would ask if anyone > here knows what this message means. Please excuse the > wast of band width, but I would appreciate any help. > > Reluctantly, > > Bob Crockett > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
Powered by blists - more mailing lists