Subj : Xpost of Jack Troughton Part #2
To : All
From : Mike Luther
Date : Mon Jun 04 2001 07:15 pm
Cross post of Jack Troughton Part #2;
What you have at the top is all the detached programs on the system. You can
see that there are quite a few. Some of them are one's that I've set up to run
detached, while others are set up by the system,and are necessary for the
system to run properly.
The first five or six lines you see at the top are my programs,while the ones
that follow are all system programs. Hey... my dnetc.exe's not running.... have
to rectify that right away:). At any rate, those programs have all been started
with the command detach, which means that you cannot use them interactively;
you more or less start them running and let them go. Usually, they'll have some
kind of control system so you can configure them; sometimes that'll be another
program (setup.exe for ftpd and weasel, for example), or it might simply be a
text file, followed by killing the program and restarting it. BTW- you can use
go.exe to kill programs. Let's say I wanted to reconfigure my web server. After
I modify the configuration files, I can change to the program's directory, type
"go -k web" at the prompt, and then type "detach web" to start it again as a
detached session. The advantages of running programs detached is that they use
less time slices on the CPU and less memory, as the stuff for display in a
command prompt are not loaded in a detached session.
The stuff that you see under the first instance of PMSHELL.EXE (that would be
PID 22 in the first column) are what you see when you press Ctrl-Esc to bring
up the Window List. All of the detached (DET) and system (SYS) programs above
that don't appear in the Window List. You need a process lister like go.exe to
see them. OS/2 ships with one, but it's output is not very user friendly; it's
called pstat.exe, and is worth looking at. However, for day to day use, go is a
lot easier to work with than pstat.
If someone's trying to get you to run a trojan on your system,they'd have to
send you an email with a rexx script that would go and get the program,
download it to your hard drive, and then detach it, and put a command somewhere
to run it again when your computer started. This would probably be in
startup.cmd or in the
config.sys... though there are keys in the os2.ini file that you can use to
autostart programs, and which are manipulable by rexx. The thing is, all the
tools exist on pretty much all OS/2 systems out there; rexx, the rxftp.dll
library that rexx can use to move files around on the internet, the .ini
manipulation routines (there's a reason all those programs use rexx scripts for
the installation routine), and so on. What OS/2 *doesn't* have several tens (if
not hundreds) of millions of people who don't understand computers running it.
OS/2 users are few in number, and also tend to be more tech savvy than the
average Windows user. This makes OS/2 a very _unsuitable_ target for the people
who write things like the sub7 trojan.
However, let's say you think that maybe someone may have done so... well, what
you do to find one is to use the output of go.exe to look for programs you
don't recognise along with netstat to find network connections you don't
recognise.
Here's the output from "netstat -s":
--------------------------------------------------------------------------
AF_INET Address Family:
Total Number of sockets 15
