RE: Windows 2k rootkit incident

["Drew Weaver" <drew () orbityl com>]

Basically the box was locking up. I logged into it and noticed the patch
level was way behind, I immediately became suspicious and Port scanned
it, sure enough there was an FXP daemon listening on PORT 444, from
there I ran FPORT to determine the name of the file that was listening
on 444 it was secsrvc.exe, that's where I hit the brick wall, because
secsrvc.exe didn't exist, then just for kicks I did some reading about
NT rootkits and tried the 'rename' trick. So I renamed a file secsrvc,
and it vanished. Then I ascertained that something must be hiding files
with that extension from various parts of my system, so I made a new
copy of regedit, taskmgr and cmd all with the prefix secsrvr
(secsrvrregedit.exe) then I was able to see everything that was
affected, it installed itself as two services, one was called XGA and
the other one was called 'Secure Routing'. Both obvious shams.



-----Original Message-----
From: Harlan Carvey [mailto:keydet89 () yahoo com] 
Sent: Thursday, June 12, 2003 7:34 PM
To: drew () orbityl com
Subject: re: Windows 2k rootkit incident

Drew,

Can you elaborate on what made you suspicious about
this particular rooted box, and what you did to find
the files in question?

It looks like some of the files are renamed MS
files...for example, mfxp_sperm.exe is xcalcs.exe.  It
also looks as if psloglist and psinfo are included
either in the rootkit, or you ran them to provide
information...w/o some kind of explanation, it really
isn't clear.

This does look like HackerDefender was used...any idea
how it got there?

Thanks for the time,

Harlan

__________________________________
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com


----------------------------------------------------------------------------
----------------------------------------------------------------------------