lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1078231428.502.50.camel@bobby.exaprobe.com>
From: nicob at nicob.net (Nicob)
Subject: Looking for a tool

On Tue, 2004-03-02 at 00:36, Schmehl, Paul L wrote:

>         Well, I usually use *sysinternals* Process Exporer, and have
>         yet to see it fail to list a process...  how do you know the
>         process exists, if you can't list it?
>          
>         Real simple.  I have randomly named processes (like
>         gk5odre.exe) popping up, and when I kill them, another one
>         takes their place.  *Something* has to be the parent than
>         controls this.  I can delete an entire registry key and watch
>         it be recreated in less than a second.  I can delete a
>         directory with three dlls in it and watch it be recreated
>         right before my eyes.  I can kill the randomly named process
>         and watch it reappear using the same name or a completely
>         different name.  I can delete the executable after killing the
>         process, and it will be recreated in no time.  So *something*
>         has to be controlling it, yet when I look at the process tree,
>         the randomly named process appears to be the parent.

Probably a rootkit.

Give a look to klister and patchfinder2, from www.rootkit.com ...


Regards,
-- 
Nicob <nicob@...ob.net>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ