Xpost of Jack Troughton Part #2
From
Mike Luther@1:117/3001 to
All on Monday, June 04, 2001 19:15:44
Cross post of Jack Troughton Part #2;
What you have at the top is all the detached programs on the system. You can see that there are quite a few. Some of them are one's that I've set up to run detached, while others are set up by the system,and are necessary for the system to run properly.
The first five or six lines you see at the top are my programs,while the ones that follow are all system programs. Hey... my dnetc.exe's not running.... have
to rectify that right away:). At any rate, those programs have all been started
with the command detach, which means that you cannot use them interactively; you more or less start them running and let them go. Usually, they'll have some
kind of control system so you can configure them; sometimes that'll be another program (setup.exe for ftpd and weasel, for example), or it might simply be a text file, followed by killing the program and restarting it. BTW- you can use go.exe to kill programs. Let's say I wanted to reconfigure my web server. After
I modify the configuration files, I can change to the program's directory, type
"go -k web" at the prompt, and then type "detach web" to start it again as a detached session. The advantages of running programs detached is that they use less time slices on the CPU and less memory, as the stuff for display in a command prompt are not loaded in a detached session.
The stuff that you see under the first instance of PMSHELL.EXE (that would be PID 22 in the first column) are what you see when you press Ctrl-Esc to bring up the Window List. All of the detached (DET) and system (SYS) programs above that don't appear in the Window List. You need a process lister like go.exe to see them. OS/2 ships with one, but it's output is not very user friendly; it's called pstat.exe, and is worth looking at. However, for day to day use, go is a
lot easier to work with than pstat.
If someone's trying to get you to run a trojan on your system,they'd have to send you an email with a rexx script that would go and get the program, download it to your hard drive, and then detach it, and put a command somewhere
to run it again when your computer started. This would probably be in startup.cmd or in the
config.sys... though there are keys in the os2.ini file that you can use to autostart programs, and which are manipulable by rexx. The thing is, all the tools exist on pretty much all OS/2 systems out there; rexx, the rxftp.dll library that rexx can use to move files around on the internet, the .ini manipulation routines (there's a reason all those programs use rexx scripts for
the installation routine), and so on. What OS/2 *doesn't* have several tens (if
not hundreds) of millions of people who don't understand computers running it. OS/2 users are few in number, and also tend to be more tech savvy than the average Windows user. This makes OS/2 a very _unsuitable_ target for the people
who write things like the sub7 trojan.
However, let's say you think that maybe someone may have done so... well, what you do to find one is to use the output of go.exe to look for programs you don't recognise along with netstat to find network connections you don't recognise.
Here's the output from "netstat -s":
--------------------------------------------------------------------------
AF_INET Address Family:
Total Number of sockets 15
SOCK TYPE FOREIGN LOCAL FOREIGN STATE
PORT PORT HOST
====== ===== ========== ========== ========== ========
16565 DGRAM 0 65143 0.0.0.0 UDP
16566 DGRAM 0 0 0.0.0.0 UDP
410 STREAM 0 telnet..23 0.0.0.0 LISTEN
411 STREAM 0 http..80 0.0.0.0 LISTEN
412 STREAM 0 ftp..21 0.0.0.0 LISTEN
413 DGRAM syslog..514 54551 127.0.0.1 UDP
414 STREAM 0 nntp..119 0.0.0.0 LISTEN
415 DGRAM 0 nntp..119 0.0.0.0 UDP
904 STREAM 60005 telnet..23 192.168.1.2 ESTABLISH
905 STREAM nntp..119 54522 127.0.0.1 ESTABLISH
906 STREAM 54522 nntp..119 127.0.0.1 ESTABLISH
918 STREAM 24737 smtp..25 208.50.99.225 ESTABLISH
1515 STREAM 0 smtp..25 0.0.0.0 LISTEN
1516 STREAM 0 pop3..110 0.0.0.0 LISTEN
6828 DGRAM 0 syslog..514 0.0.0.0 UDP --------------------------------------------------------------------------
AF_OS2 Address Family:
Total Number of sockets 0
To be continued in Part #3:
Mike @ 1:117/3001
--- Maximus/2 3.01
* Origin: Ziplog Public Port (1:117/3001)