Security Incidents mailing list archives

RE: Windows 2k rootkit incident, files zipped for your pleasure.

From: "Dan Perez" <danperez () san rr com>
Date: Thu, 12 Jun 2003 17:09:46 -0700

It appears as if a valid name for it is MfXP and it appears somewhat popular
in Warez groups. Most of the files in your provided zip (thanks for posting
it) appear to be renamed versions of popular utilities from Sysinternals,
Foundstone, ntsecurity.nu and MS Reskit.

It's kinda funny, in searching for "MFXP" in CopernicPro I came across a
fair # of hits that were apparently Warez sites that had since been cleaned
by the respective net admins.

Regards,

Dan Perez

-----Original Message-----
From: Drew Weaver [mailto:drew () orbityl com]
Sent: Thursday, June 12, 2003 8:57 AM
To: incidents () securityfocus com
Subject: Windows 2k rootkit incident, files zipped for your pleasure.


    Hi, with the help or Karl Levinson I was able to detect the presence of
a rootkit on one of my windows 2000 servers, I was able to grab the files
and zip them, so maybe we can watch for this stuff in the future, im not
sure if this rootkit has a particular name or what/not, you can get the
files here:

http://www.soul-fu.com/beenhaxxored.zip

Thanks Karl.

-Drew


----------------------------------------------------------------------------
----------------------------------------------------------------------------


----------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Windows 2k rootkit incident, files zipped for your pleasure. Drew Weaver (Jun 12)
- Re: Windows 2k rootkit incident, files zipped for your pleasure. John Ives (Jun 12)
- RE: Windows 2k rootkit incident, files zipped for your pleasure. Dan Perez (Jun 13)
- <Possible follow-ups>
- Re: Windows 2k rootkit incident, files zipped for your pleasure. defaillance (Jun 13)