|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Logon.dll? Possible root-kit?
From: Nick Jacobsen (nick
ethicsdesign.com)
Date: Wed Apr 02 2003 - 22:29:21 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I will be packaging all the suspect files I find into a rar and putting them
on my site. Should be sometime tomarrow morning. At that time, I'll go
ahead and send a link to them. Thanks for the help with offers to RE
them...
Nick Jacobsen
Ethics Design
nickethicsdesign.com
----- Original Message -----
From: "Exurity Debugs" <exbugsrogers.com>
To: "Nick Jacobsen" <nickethicsdesign.com>
Sent: Wednesday, April 02, 2003 8:24 PM
Subject: RE: Logon.dll? Possible root-kit?
> Could you get a copy of them and kindly send to me to reverse?
>
> Peter Huang
> http://members.rogers.com/exurity/
> Executable Security
>
> -----Original Message-----
> From: Nick Jacobsen [mailto:nickethicsdesign.com]
> Sent: Wednesday, April 02, 2003 9:10 PM
> To: incidentssecurityfocus.com
> Subject: Logon.dll? Possible root-kit?
>
> Hi all, hoping someone can point me in the right direction.
> I usually do penetration testing, but one of my clients had someone,
> they suspect a past employee, break into their network. I didn't get
called
> in till well after the incident, and they did not have any logs from the
> time of the incident. Now, I have found two extremely odd things... One,
a
> file called logon.dll in the winnt\system32 directory, that was NOT made
by
> microsoft, and two, that inetsrv (internet information services) does not
> show up in the process list, though it is running. BTW, this is a windows
> 2000 box. I have advised this client to wipe the box and restore from a
> ghost image, but they are not willing to. I guess my question is for any
> possible information on a root kit that could have been used againt this
> machine, as well as any tools you know about that may help me detect the
> rootkit.
> On a second note, I have discovered an IRC bot installed on this
machine
> as well. The file name was r_bot.dll, and it connected to irc.choopa.net,
> channel #thallia, chan password "suckme"... have any of you run into this
> specific bot? if so, what commands does it support?
>
> Anyway, thanks in advance for your help.
>
> Nick Jacobsen
> Ethics Design
> nickethicsdesign.com
>
>
> --------------------------------------------------------------------------
--
> Powerful Anti-Spam Management and More...
> SurfControl E-mail Filter puts the brakes on spam,
> viruses and malicious code. Safeguard your business
> critical communications. Download a free 30-day trial:
> http://www.securityfocus.com/SurfControl-incidents
>
----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]