Security Incidents mailing list archives

Re: Logon.dll? Possible root-kit?

From: "Nick Jacobsen" <nick () ethicsdesign com>
Date: Thu, 3 Apr 2003 12:43:05 -0800

Ok here is link to a rar of the suspected files:
    http://www.ethicsdesign.com/HackLog.rar

As some of you said, it looks like there is not a rootkit installed, and it
looks like this was an attempt at making this box join a botnet.  A kindly
IRCOp has offered to both decompile the bot dll, and to remove the offending
channel (#thallia), so that is taken care of.  Anyway, I did manage to
convince my clients that this was serious enough to warant a wipe of the
data on the machine.  I am waiting to see what your analysis of these files
are.

Thank You,
Nick Jacobsen
nick () ethicsdesign com


----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents

Current thread:

Logon.dll? Possible root-kit? Nick Jacobsen (Apr 02)
- RE: Logon.dll? Possible root-kit? Rob Shein (Apr 03)
- Re: Logon.dll? Possible root-kit? Harlan Carvey (Apr 03)
- <Possible follow-ups>
- Re: Logon.dll? Possible root-kit? Nick Jacobsen (Apr 03)
- RE: Logon.dll? Possible root-kit? Amarante, Rodrigo P. (Apr 03)
- Re: Logon.dll? Possible root-kit? Nick Jacobsen (Apr 03)
  - Re: Logon.dll? Possible root-kit? Harlan Carvey (Apr 04)
    - Re: Logon.dll? Possible root-kit? Nick Jacobsen (Apr 04)
  - RE: Logon.dll? Possible root-kit? Rob Shein (Apr 04)
- RE: Logon.dll? Possible root-kit? Jason Pagano (Apr 04)