OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: Logon.dll? Possible root-kit?

From: Nick Jacobsen (nickethicsdesign.com)
Date: Thu Apr 03 2003 - 19:23:24 CST


I'm sorry, the archive was meant for the people who had wanted to decompile
the r_bot.dll IRC bot. I have already determined that it was not a
rootkit... as to the logs, those were the only logs, as IIS was only
running for those days, oddly enough. I have, using some slightly
convoluted methods, determined that the attack originated through an old IIS
box that the system administrator was not aware of. The attacker used that
box, using double decode, to add himself an account on a terminal server
box, upon which he then proceded to install the botkit, and some other
utilities.

Nick Jacobsen

----- Original Message -----
From: "Harlan Carvey" <keydet89yahoo.com>
To: <incidentssecurityfocus.com>
Sent: Thursday, April 03, 2003 5:14 PM
Subject: Re: Logon.dll? Possible root-kit?

> Nick,
>
> I downloaded the archive and went through it.
> Unfortunately, none of the information I asked about
> was in the archive...Registry keys, results of
> fport.exe, etc.
>
> Also, the web logs you included in the archive seem to
> be selected for a specific reason. Why is that? What
> did you expect them to show? One shows a failed Nimda
> scan.
>
> At this point, I don't know that decompiling the DLLs
> are going to do much in the way of helping figure out
> how this occurred, and what to do to prevent it in the
> future.
>
> Good luck
>
>
> --- Nick Jacobsen <nickethicsdesign.com> wrote:
> > Ok here is link to a rar of the suspected files:
> > http://www.ethicsdesign.com/HackLog.rar
> >
> > As some of you said, it looks like there is not a
> > rootkit installed, and it
> > looks like this was an attempt at making this box
> > join a botnet. A kindly
> > IRCOp has offered to both decompile the bot dll, and
> > to remove the offending
> > channel (#thallia), so that is taken care of.
> > Anyway, I did manage to
> > convince my clients that this was serious enough to
> > warant a wipe of the
> > data on the machine. I am waiting to see what your
> > analysis of these files
> > are.
> >
> > Thank You,
> > Nick Jacobsen
> > nickethicsdesign.com
> >
> >
> >
> --------------------------------------------------------------------------
--
> > Powerful Anti-Spam Management and More...
> > SurfControl E-mail Filter puts the brakes on spam,
> > viruses and malicious code. Safeguard your business
> > critical communications. Download a free 30-day
> > trial:
> > http://www.securityfocus.com/SurfControl-incidents
> >
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Tax Center - File online, calculators, forms, and more
> http://tax.yahoo.com

----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents