Security Incidents mailing list archives
Re: Logon.dll? Possible root-kit?
From: "Nick Jacobsen" <nick () ethicsdesign com>
Date: Wed, 2 Apr 2003 20:29:21 -0800
I will be packaging all the suspect files I find into a rar and putting them on my site. Should be sometime tomarrow morning. At that time, I'll go ahead and send a link to them. Thanks for the help with offers to RE them... Nick Jacobsen Ethics Design nick () ethicsdesign com ----- Original Message ----- From: "Exurity Debugs" <exbugs () rogers com> To: "Nick Jacobsen" <nick () ethicsdesign com> Sent: Wednesday, April 02, 2003 8:24 PM Subject: RE: Logon.dll? Possible root-kit?
Could you get a copy of them and kindly send to me to reverse? Peter Huang http://members.rogers.com/exurity/ Executable Security -----Original Message----- From: Nick Jacobsen [mailto:nick () ethicsdesign com] Sent: Wednesday, April 02, 2003 9:10 PM To: incidents () securityfocus com Subject: Logon.dll? Possible root-kit? Hi all, hoping someone can point me in the right direction. I usually do penetration testing, but one of my clients had someone, they suspect a past employee, break into their network. I didn't get
called
in till well after the incident, and they did not have any logs from the time of the incident. Now, I have found two extremely odd things... One,
a
file called logon.dll in the winnt\system32 directory, that was NOT made
by
microsoft, and two, that inetsrv (internet information services) does not
show up in the process list, though it is running. BTW, this is a windows
2000 box. I have advised this client to wipe the box and restore from a
ghost image, but they are not willing to. I guess my question is for any
possible information on a root kit that could have been used againt this
machine, as well as any tools you know about that may help me detect the
rootkit.
On a second note, I have discovered an IRC bot installed on this
machine
as well. The file name was r_bot.dll, and it connected to irc.choopa.net, channel #thallia, chan password "suckme"... have any of you run into this specific bot? if so, what commands does it support? Anyway, thanks in advance for your help. Nick Jacobsen Ethics Design nick () ethicsdesign com --------------------------------------------------------------------------
--
Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
Current thread:
- Logon.dll? Possible root-kit? Nick Jacobsen (Apr 02)
- RE: Logon.dll? Possible root-kit? Rob Shein (Apr 03)
- Re: Logon.dll? Possible root-kit? Harlan Carvey (Apr 03)
- <Possible follow-ups>
- Re: Logon.dll? Possible root-kit? Nick Jacobsen (Apr 03)
- RE: Logon.dll? Possible root-kit? Amarante, Rodrigo P. (Apr 03)
- Re: Logon.dll? Possible root-kit? Nick Jacobsen (Apr 03)
- Re: Logon.dll? Possible root-kit? Harlan Carvey (Apr 04)
- Re: Logon.dll? Possible root-kit? Nick Jacobsen (Apr 04)
- RE: Logon.dll? Possible root-kit? Rob Shein (Apr 04)
- Re: Logon.dll? Possible root-kit? Harlan Carvey (Apr 04)
- RE: Logon.dll? Possible root-kit? Jason Pagano (Apr 04)