If your computer installed Windows-based operating system, you might have seen csrss.exe and smss.exe in Task Manager. What is it? Actually, they are essential software component for Microsoft Windows. However, they must be run as SYSTEM process and no duplication. If you found two copies of them, one is SYSTEM and one is yours, you machine has been already infected. I don’t know exactly but it seems to be a kind of malware. NOD32 don’t classify them. These processes couldn’t be deleted or terminated as usual. msconfig or regedit cannot help you. Fortunately, you can remove it permanently by yourself.

Today in the morning, one of my friend asked me to help resolving network related problem. Actually, he didn’t know what the problem exactly was. All he know was just he could not access to network mapped drive. Let me describe this problem in detail in next paragraph.

There is an enterprise network with 2 servers: Microsoft Windows 2000 Advanced Server and RedHat Linux 8.0. He usually works on Microsoft Windows XP using shared data and database on Windows 2000. Sometimes he encounters connection problem that he will be unable to access to the Windows 2000 for a while.

LevelOne WBR-3407 series is a Wireless 54 Mbps ADSL2+ router with 4 port 10/100 Mbps. There are 2 models: WBR-3407A and WBR-3407B depending on country. Most LevelOne’s router do not support full-feature port forwarding, instead it supports limited virtual server concept. To set port forwarding in this router series, there are 2 choices.

1. DMZ
2. Virtual Servers

Choosing an appropriate choice depending on application you want to run. If the application is one of standard services such as web, ftp and e-mail, you can choose any choice. However, in case of you want to run BitTorrent or any P2P efficiently, you must choose DMZ instead.

Today I have just found that my colleague’s server was hacked by someone to run IRC bot. Cool! This server didn’t run any services except only SSH. It is very secure. Anyway, after investigating /var/log/secure, I found out lots of login failed attempts from unknown sources. Eventually, the last attempt was successful and he/she changed root password to something I didn’t know. Fortunately, single user mode helped me to recover the machine back to my control again.

My colleage used ZyXEL Prestige 650R-31 as the main ADSL router for his company. It works very well and so stable. Last week he asked me to help him setup a server placed behide the ADSL router to be accessible anywhere from Internet. The main service is e-mail so I just added port forwarding via web-based configuration. It was so easy and worked like a charm. However, the connection could not establish if he sat inside the NAT. The problem is so called "NAT loopback". I found this kind of problem in D-Link also.

One of my machine was installed AWStats 5.9 since 2003 and never upgraded or patched. Today I heard that that machine has been transmitting syn flood to 3com. After short investigating, we found that there has been a strange process namely cback running as apache. Then I simply googled by keyword . The first result is Slapper v2.0 - XML-RPC/Awstats Worm. Oh, my god! I have just got hacked by XML-RPC 2 weeks ago. It seems XML-RPC implementation in PHP is being widely cracked down by many hackers around the world.