|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Logon.dll? Possible root-kit?
From: Harlan Carvey (keydet89
yahoo.com)
Date: Thu Apr 03 2003 - 07:20:10 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Nick,
Couple of things...
1. The process that handles IIS is NOT "inetsrv",
it's inetinfo.exe.
2. Did you check the file system to see if IIS really
is installed?
3. Did you try pointing a browser (or even
telnetting) to port 80 on the system to see what's
running?
4. Did you run fport.exe from Foundstone?
5. I've checked several Win2K systems at work/home
and haven't found logon.dll...can you zip up and send
me a copy of this file, along with the EXE file that's
accessing it, and any information regarding it's
presence in the Registry?
6. You were pretty emphatic that the logon.dll file
was not produced by Microsoft...how do you know this?
7. The IRC bot you found also requires an EXE file to
access the DLL in some way...did you find any evidence
of that?
8. If the client does not want to wipe/restore the
system, then a comprehensive investigation of the
system needs to be conducted. I would strongly
suggest collecting information on processes, installed
services and drivers, network connections,
process-to-port mappings, etc. Once this information
is collected, correlated and analyzied, you can put
together a plan for not only getting the system into
service, but also protecting it in the future.
Another thing I'd strongly suggest looking at is the
IIS logs (if IIS is installed), as well as any other
available application logs.
If you need any help or advice w/ this, please feel
free to contact me.
HTH,
Harlan
--- Nick Jacobsen <nickethicsdesign.com> wrote:
> Hi all, hoping someone can point me in the right
> direction.
> I usually do penetration testing, but one of my
> clients had someone,
> they suspect a past employee, break into their
> network. I didn't get called
> in till well after the incident, and they did not
> have any logs from the
> time of the incident. Now, I have found two
> extremely odd things... One, a
> file called logon.dll in the winnt\system32
> directory, that was NOT made by
> microsoft, and two, that inetsrv (internet
> information services) does not
> show up in the process list, though it is running.
> BTW, this is a windows
> 2000 box. I have advised this client to wipe the
> box and restore from a
> ghost image, but they are not willing to. I guess
> my question is for any
> possible information on a root kit that could have
> been used againt this
> machine, as well as any tools you know about that
> may help me detect the
> rootkit.
> On a second note, I have discovered an IRC bot
> installed on this machine
> as well. The file name was r_bot.dll, and it
> connected to irc.choopa.net,
> channel #thallia, chan password "suckme"... have
> any of you run into this
> specific bot? if so, what commands does it support?
>
> Anyway, thanks in advance for your help.
>
> Nick Jacobsen
> Ethics Design
> nickethicsdesign.com
>
>
>
----------------------------------------------------------------------------
> Powerful Anti-Spam Management and More...
> SurfControl E-mail Filter puts the brakes on spam,
> viruses and malicious code. Safeguard your business
> critical communications. Download a free 30-day
> trial:
> http://www.securityfocus.com/SurfControl-incidents
>
__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - File online, calculators, forms, and more
http://tax.yahoo.com
----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]