Security Incidents mailing list archives
Re: Logon.dll? Possible root-kit?
From: "Nick Jacobsen" <nick () ethicsdesign com>
Date: Thu, 3 Apr 2003 17:23:24 -0800
I'm sorry, the archive was meant for the people who had wanted to decompile the r_bot.dll IRC bot. I have already determined that it was not a rootkit... as to the logs, those were the only logs, as IIS was only running for those days, oddly enough. I have, using some slightly convoluted methods, determined that the attack originated through an old IIS box that the system administrator was not aware of. The attacker used that box, using double decode, to add himself an account on a terminal server box, upon which he then proceded to install the botkit, and some other utilities. Nick Jacobsen ----- Original Message ----- From: "Harlan Carvey" <keydet89 () yahoo com> To: <incidents () securityfocus com> Sent: Thursday, April 03, 2003 5:14 PM Subject: Re: Logon.dll? Possible root-kit?
Nick, I downloaded the archive and went through it. Unfortunately, none of the information I asked about was in the archive...Registry keys, results of fport.exe, etc. Also, the web logs you included in the archive seem to be selected for a specific reason. Why is that? What did you expect them to show? One shows a failed Nimda scan. At this point, I don't know that decompiling the DLLs are going to do much in the way of helping figure out how this occurred, and what to do to prevent it in the future. Good luck --- Nick Jacobsen <nick () ethicsdesign com> wrote:Ok here is link to a rar of the suspected files: http://www.ethicsdesign.com/HackLog.rar As some of you said, it looks like there is not a rootkit installed, and it looks like this was an attempt at making this box join a botnet. A kindly IRCOp has offered to both decompile the bot dll, and to remove the offending channel (#thallia), so that is taken care of. Anyway, I did manage to convince my clients that this was serious enough to warant a wipe of the data on the machine. I am waiting to see what your analysis of these files are. Thank You, Nick Jacobsen nick () ethicsdesign com--------------------------------------------------------------------------
--
Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents__________________________________________________ Do you Yahoo!? Yahoo! Tax Center - File online, calculators, forms, and more http://tax.yahoo.com
---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
Current thread:
- Logon.dll? Possible root-kit? Nick Jacobsen (Apr 02)
- RE: Logon.dll? Possible root-kit? Rob Shein (Apr 03)
- Re: Logon.dll? Possible root-kit? Harlan Carvey (Apr 03)
- <Possible follow-ups>
- Re: Logon.dll? Possible root-kit? Nick Jacobsen (Apr 03)
- RE: Logon.dll? Possible root-kit? Amarante, Rodrigo P. (Apr 03)
- Re: Logon.dll? Possible root-kit? Nick Jacobsen (Apr 03)
- Re: Logon.dll? Possible root-kit? Harlan Carvey (Apr 04)
- Re: Logon.dll? Possible root-kit? Nick Jacobsen (Apr 04)
- RE: Logon.dll? Possible root-kit? Rob Shein (Apr 04)
- Re: Logon.dll? Possible root-kit? Harlan Carvey (Apr 04)
- RE: Logon.dll? Possible root-kit? Jason Pagano (Apr 04)