By Arun Darlie Koshy
Answer 1)
*Most* Unusual is process smss.exe with PID 1384 with memory usage 1384 k, the normal smss.exe critical systems service takes around 344 K (and we see that its there).
Fishy, we've caught our rogue process ;-).
Answer 2)
We can use the free tool "TCPView" freely availble from Sysinternals.com to determine whether this
process is listening on a TCP or UDP port.
http://www.sysinternals.com/ntw2k/source/tcpview.shtml
Answer 3)
Nigel could'nt kill this process as the backdoor
uses an interesting vulnerability in the design of Windows 2k.
The OS is not case sensitive when determining critical system processes :
- winlogon.exe - csrss.exe - smss.exe - services.exe
Since the backdoor has the same name, the OS refuses to terminate it.
reference ---------
http://www.securityfocus.com/bid/3033
Answer 4)
Nigel can either use the "kill" utility supplied with the Windows 2K Resource kit, or he can choose an even more advanced version from Sysinternals :
http://www.sysinternals.com/ntw2k/freeware/pstools.shtml (complete suite)
http://www.sysinternals.com/ntw2k/freeware/pskill.shtml
--- SIGNATURE ---
"The gull sees farthest who flies highest"
GPG/PGP key located at acksyn.infosecwriters.com |
|