Security Incidents mailing list archives
RE: Windows 2k rootkit incident, files zipped for your pleasure.
From: "Dan Perez" <danperez () san rr com>
Date: Thu, 12 Jun 2003 17:09:46 -0700
It appears as if a valid name for it is MfXP and it appears somewhat popular in Warez groups. Most of the files in your provided zip (thanks for posting it) appear to be renamed versions of popular utilities from Sysinternals, Foundstone, ntsecurity.nu and MS Reskit. It's kinda funny, in searching for "MFXP" in CopernicPro I came across a fair # of hits that were apparently Warez sites that had since been cleaned by the respective net admins. Regards, Dan Perez -----Original Message----- From: Drew Weaver [mailto:drew () orbityl com] Sent: Thursday, June 12, 2003 8:57 AM To: incidents () securityfocus com Subject: Windows 2k rootkit incident, files zipped for your pleasure. Hi, with the help or Karl Levinson I was able to detect the presence of a rootkit on one of my windows 2000 servers, I was able to grab the files and zip them, so maybe we can watch for this stuff in the future, im not sure if this rootkit has a particular name or what/not, you can get the files here: http://www.soul-fu.com/beenhaxxored.zip Thanks Karl. -Drew ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Windows 2k rootkit incident, files zipped for your pleasure. Drew Weaver (Jun 12)
- Re: Windows 2k rootkit incident, files zipped for your pleasure. John Ives (Jun 12)
- RE: Windows 2k rootkit incident, files zipped for your pleasure. Dan Perez (Jun 13)
- <Possible follow-ups>
- Re: Windows 2k rootkit incident, files zipped for your pleasure. defaillance (Jun 13)