Security Incidents mailing list archives
Re: Logon.dll? Possible root-kit?
From: Harlan Carvey <keydet89 () yahoo com>
Date: Thu, 3 Apr 2003 17:14:08 -0800 (PST)
Nick, I downloaded the archive and went through it. Unfortunately, none of the information I asked about was in the archive...Registry keys, results of fport.exe, etc. Also, the web logs you included in the archive seem to be selected for a specific reason. Why is that? What did you expect them to show? One shows a failed Nimda scan. At this point, I don't know that decompiling the DLLs are going to do much in the way of helping figure out how this occurred, and what to do to prevent it in the future. Good luck --- Nick Jacobsen <nick () ethicsdesign com> wrote:
Ok here is link to a rar of the suspected files: http://www.ethicsdesign.com/HackLog.rar As some of you said, it looks like there is not a rootkit installed, and it looks like this was an attempt at making this box join a botnet. A kindly IRCOp has offered to both decompile the bot dll, and to remove the offending channel (#thallia), so that is taken care of. Anyway, I did manage to convince my clients that this was serious enough to warant a wipe of the data on the machine. I am waiting to see what your analysis of these files are. Thank You, Nick Jacobsen nick () ethicsdesign com
----------------------------------------------------------------------------
Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
__________________________________________________ Do you Yahoo!? Yahoo! Tax Center - File online, calculators, forms, and more http://tax.yahoo.com ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
Current thread:
- Logon.dll? Possible root-kit? Nick Jacobsen (Apr 02)
- RE: Logon.dll? Possible root-kit? Rob Shein (Apr 03)
- Re: Logon.dll? Possible root-kit? Harlan Carvey (Apr 03)
- <Possible follow-ups>
- Re: Logon.dll? Possible root-kit? Nick Jacobsen (Apr 03)
- RE: Logon.dll? Possible root-kit? Amarante, Rodrigo P. (Apr 03)
- Re: Logon.dll? Possible root-kit? Nick Jacobsen (Apr 03)
- Re: Logon.dll? Possible root-kit? Harlan Carvey (Apr 04)
- Re: Logon.dll? Possible root-kit? Nick Jacobsen (Apr 04)
- RE: Logon.dll? Possible root-kit? Rob Shein (Apr 04)
- Re: Logon.dll? Possible root-kit? Harlan Carvey (Apr 04)
- RE: Logon.dll? Possible root-kit? Jason Pagano (Apr 04)