• Xpost of Jack Troughton Part #2

    From Mike Luther@1:117/3001 to All on Monday, June 04, 2001 19:15:44
    Cross post of Jack Troughton Part #2;

    What you have at the top is all the detached programs on the system. You can see that there are quite a few. Some of them are one's that I've set up to run detached, while others are set up by the system,and are necessary for the system to run properly.

    The first five or six lines you see at the top are my programs,while the ones that follow are all system programs. Hey... my dnetc.exe's not running.... have
    to rectify that right away:). At any rate, those programs have all been started
    with the command detach, which means that you cannot use them interactively; you more or less start them running and let them go. Usually, they'll have some
    kind of control system so you can configure them; sometimes that'll be another program (setup.exe for ftpd and weasel, for example), or it might simply be a text file, followed by killing the program and restarting it. BTW- you can use go.exe to kill programs. Let's say I wanted to reconfigure my web server. After
    I modify the configuration files, I can change to the program's directory, type
    "go -k web" at the prompt, and then type "detach web" to start it again as a detached session. The advantages of running programs detached is that they use less time slices on the CPU and less memory, as the stuff for display in a command prompt are not loaded in a detached session.

    The stuff that you see under the first instance of PMSHELL.EXE (that would be PID 22 in the first column) are what you see when you press Ctrl-Esc to bring up the Window List. All of the detached (DET) and system (SYS) programs above that don't appear in the Window List. You need a process lister like go.exe to see them. OS/2 ships with one, but it's output is not very user friendly; it's called pstat.exe, and is worth looking at. However, for day to day use, go is a
    lot easier to work with than pstat.

    If someone's trying to get you to run a trojan on your system,they'd have to send you an email with a rexx script that would go and get the program, download it to your hard drive, and then detach it, and put a command somewhere
    to run it again when your computer started. This would probably be in startup.cmd or in the
    config.sys... though there are keys in the os2.ini file that you can use to autostart programs, and which are manipulable by rexx. The thing is, all the tools exist on pretty much all OS/2 systems out there; rexx, the rxftp.dll library that rexx can use to move files around on the internet, the .ini manipulation routines (there's a reason all those programs use rexx scripts for
    the installation routine), and so on. What OS/2 *doesn't* have several tens (if
    not hundreds) of millions of people who don't understand computers running it. OS/2 users are few in number, and also tend to be more tech savvy than the average Windows user. This makes OS/2 a very _unsuitable_ target for the people
    who write things like the sub7 trojan.

    However, let's say you think that maybe someone may have done so... well, what you do to find one is to use the output of go.exe to look for programs you don't recognise along with netstat to find network connections you don't recognise.

    Here's the output from "netstat -s":

    AF_INET Address Family:
    Total Number of sockets 15

    ====== ===== ========== ========== ========== ========
    16565 DGRAM 0 65143 UDP
    16566 DGRAM 0 0 UDP
    410 STREAM 0 telnet..23 LISTEN
    411 STREAM 0 http..80 LISTEN
    412 STREAM 0 ftp..21 LISTEN
    413 DGRAM syslog..514 54551 UDP
    414 STREAM 0 nntp..119 LISTEN
    415 DGRAM 0 nntp..119 UDP
    904 STREAM 60005 telnet..23 ESTABLISH
    905 STREAM nntp..119 54522 ESTABLISH
    906 STREAM 54522 nntp..119 ESTABLISH
    918 STREAM 24737 smtp..25 ESTABLISH
    1515 STREAM 0 smtp..25 LISTEN
    1516 STREAM 0 pop3..110 LISTEN
    6828 DGRAM 0 syslog..514 UDP --------------------------------------------------------------------------
    AF_OS2 Address Family:
    Total Number of sockets 0

    To be continued in Part #3:

    Mike @ 1:117/3001

    --- Maximus/2 3.01
    * Origin: Ziplog Public Port (1:117/3001)