Security Incidents mailing list archives
RE: Logon.dll? Possible root-kit?
From: Jason Pagano <JPAGANO () orthonet-online com>
Date: Fri, 4 Apr 2003 08:40:32 -0500
Logon.dll and dir.dll are just serv-u's motd/dir change files.. MsCtrl32ocx.ocx is the conf (open it in wordpad) Su.exe and explorer.exe are both serv-u (rooted by 2 different people?).. All the DWRC* and DNTUS26.exe is dameware (dameware.com) The batch files were probably run as services I'd be willing to bet the ranch that the hacked box had a null or weak admin pass... probably on a fast line aswell seeing it was being used as a pub warez box .. look in c:\winnt\system32\spool\drivers\color\ You'll find your warez there Bot.dll is packed with upx, after decompressing it and takin a look there is atleast 3 references to 3 different ircd's .. and version reply TircClient OpenSource component 2.0 by G.Timmons: Http://shadeline.hypermart.net/index.html -----Original Message----- From: Nick Jacobsen [mailto:nick () ethicsdesign com] Sent: Thursday, April 03, 2003 3:43 PM To: incidents () securityfocus com Subject: Re: Logon.dll? Possible root-kit? Ok here is link to a rar of the suspected files: http://www.ethicsdesign.com/HackLog.rar As some of you said, it looks like there is not a rootkit installed, and it looks like this was an attempt at making this box join a botnet. A kindly IRCOp has offered to both decompile the bot dll, and to remove the offending channel (#thallia), so that is taken care of. Anyway, I did manage to convince my clients that this was serious enough to warant a wipe of the data on the machine. I am waiting to see what your analysis of these files are. Thank You, Nick Jacobsen nick () ethicsdesign com ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
Current thread:
- Logon.dll? Possible root-kit? Nick Jacobsen (Apr 02)
- RE: Logon.dll? Possible root-kit? Rob Shein (Apr 03)
- Re: Logon.dll? Possible root-kit? Harlan Carvey (Apr 03)
- <Possible follow-ups>
- Re: Logon.dll? Possible root-kit? Nick Jacobsen (Apr 03)
- RE: Logon.dll? Possible root-kit? Amarante, Rodrigo P. (Apr 03)
- Re: Logon.dll? Possible root-kit? Nick Jacobsen (Apr 03)
- Re: Logon.dll? Possible root-kit? Harlan Carvey (Apr 04)
- Re: Logon.dll? Possible root-kit? Nick Jacobsen (Apr 04)
- RE: Logon.dll? Possible root-kit? Rob Shein (Apr 04)
- Re: Logon.dll? Possible root-kit? Harlan Carvey (Apr 04)
- RE: Logon.dll? Possible root-kit? Jason Pagano (Apr 04)