|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: Logon.dll? Possible root-kit?
From: Jason Pagano (JPAGANO
orthonet-online.com)
Date: Fri Apr 04 2003 - 07:40:32 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Logon.dll and dir.dll are just serv-u's motd/dir change files..
MsCtrl32ocx.ocx is the conf (open it in wordpad)
Su.exe and explorer.exe are both serv-u (rooted by 2 different people?)..
All the DWRC* and DNTUS26.exe is dameware (dameware.com)
The batch files were probably run as services
I'd be willing to bet the ranch that the hacked box had a null or weak admin
pass... probably on a fast line aswell seeing it was being used as a pub
warez box .. look in c:\winnt\system32\spool\drivers\color\
You'll find your warez there
Bot.dll is packed with upx, after decompressing it and takin a look there is
atleast 3 references to 3 different ircd's .. and version reply
TircClient OpenSource component 2.0 by G.Timmons:
Http://shadeline.hypermart.net/index.html
-----Original Message-----
From: Nick Jacobsen [mailto:nickethicsdesign.com]
Sent: Thursday, April 03, 2003 3:43 PM
To: incidentssecurityfocus.com
Subject: Re: Logon.dll? Possible root-kit?
Ok here is link to a rar of the suspected files:
http://www.ethicsdesign.com/HackLog.rar
As some of you said, it looks like there is not a rootkit installed, and it
looks like this was an attempt at making this box join a botnet. A kindly
IRCOp has offered to both decompile the bot dll, and to remove the offending
channel (#thallia), so that is taken care of. Anyway, I did manage to
convince my clients that this was serious enough to warant a wipe of the
data on the machine. I am waiting to see what your analysis of these files
are.
Thank You,
Nick Jacobsen
nickethicsdesign.com
----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents
----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]