I've seen this kind of stuff on a compromised NT machine a few weeks ago, and the rootkit installed was an hacked version of Hacker Defender 0.73 (http://rootkit.host.sk). I've just done an md5sum of the binary (the standard one downloaded from the net, not the hacked I found on the machine), guess what ? HxDef073.exe -> 39a9e5c05ffbda925da0d2ec9b4f512a Drop.exe -> 39a9e5c05ffbda925da0d2ec9b4f512a I think we've found it :) In order to see all the stuff idem on the live system, I had to connect using the builtin backdoor (check the passwd in your drop.ini file). This one works with every open port on the hacked system, with a client software packaged with HxDef073. You can also, if you can modify the compromised machine, rename the drop.ini file to another name. Upon reboot, the rootkit won't run. You will then see all the hidden files and directories, and the hidden registry keys which launch the rookit on reboot. Hope this helps E.Marchand > -----Message d'origine----- > De : shrink-wrapat_private [mailto:shrink-wrapat_private] > Envoyé : mardi 6 mai 2003 04:53 > À : forensicsat_private > Objet : Finding root-kits on Windows > > > > > If someone could help me I would appreciate it- my current > situation is: > > On a compromised Windows 2k Pro box I have a directory with suspect > binaries (which I discovered from a disk image via autopsy/sleuthkit- > awesome stuff) but on the compromised machine it is > impossible* to view > these files or the directory. A listing of the files and the > directory is > attached at the end of the e-mail. After reading more and > more on windows > rootkits- one of the common ways to use them is to pick a > common string to > hide and in my case all the files and the directory have the > string "drop" > as part of their name. As a test I created a directory in > the root of the > drive named "dropper" and it also "disappeared". > > So my question is, how can I find this root-kit that is > hooked into my > kernel? I am looking at my sysinfo for the box but while there are a > number of drivers running- how would I further investigate > what they are > doing? BTW, it hasn't matched up with a well-known root-kit > yet (like > slanret). > > Thanks > S-W > > *=except 'cd'ing, via command prompt only, into the suspect (drop) > directory and 'dir' listing all files *without* the "drop" > name--possibly > an error with the root-kit? > > File and directory listing: (md5 hash / file name / size) > > MD5 Values for files in /mnt/evidence/WINNT/system32/ > (images/win2kpart1.img) > > 39a9e5c05ffbda925da0d2ec9b4f512a drop.exe > 50688 > c647b4225e022096fb125f6bc49c5c91 drop.ini > 383 > da0bae77d169430f23134c1bea850c10 droper.exe 1364009 > d66183219dcc4df876b94507c517decd dropz.dat 244 > 623dfe4b51bc457a93b6cbbdeb62f3aa dropz.exe > 196922 > > MD5 Values for files in > /mnt/evidence/WINNT/system32/drop/ (images/win2kpart1.img) > > f52d332ff50cb543c6d47d9aa4a0f608 dropclient.exe 30208 > 084badcff1da96797dddfd29b5038273 dropcmdsrv.exe 32768 > a109f9c51681ec708342db2af6c4bebb dropFar.exe > 416800 > 26c1a98812d114c7ad2bc8e8d7119315 dropisql.exe 98304 > e0fb946c00b140693e3cf5de258c22a1 dropnc.exe > 59392 > b5f519b3844c4d3c5451d90f70c59737 dropNTUSER.EXE 114176 > 998c2626a275c4ee1d59c2b3d0ede028 droppkzip.exe 339456 > 7eec3f77f9cb19fda1d06403ec1472f1 droppm.exe > 5632 > 9c77ed16bcba7c61d620ec040788e7e8 dropport.exe 48640 > ca0447d2feccc4a5ac3c9128d61debe7 droppwdump2.exe 32768 > b7989bcb72225521c79163517cabe69a FarEng.hlf 72121 > f7dddbdbbc5879bf16ac00cedcd20745 FarEng.lng > 16618 > ab1f54a5fa3e653b6784c44407f113ac samdump.dll 36864 > > MD5 Values for files in /mnt/evidence/WINNT/system32/drop/Plugins/FTP/ > (images/win2kpart1.img) > > 8e15302b6d6e34f97d1a9729a8982f2e farftp.dll > 115232 > c9c65b08d29378823d4f41bc7f96787f FtpEng.hlf > 6514 > 5473c2f0e88c2a6732bbbcf72e895523 FtpEng.lng > 2307 > > MD5 Values for files in > /mnt/evidence/WINNT/system32/drop/Plugins/Network/ > (images/win2kpart1.img) > > 899618cc2b78249ae846aea0ae7a8e55 NetEng.hlf > 1033 > e094baf947eddf5c5d744247ec75859e NetEng.lng > 625 > 701c98c6799d450f458335b498806fa2 NETWORK.dll 45600 > > MD5 Values for files in > /mnt/evidence/WINNT/system32/drop/Plugins/ProcList/ > (images/win2kpart1.img) > > 43ca7be3f1bb03d47b77ea836f996fba ProcEng.hlf > 444 > 77fc621c42ea93a8a0ff9bd32331c350 ProcEng.lng > 442 > 9691161c57d0cb6500af09df919b852f PROCLIST.dll 51232 > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer > service. For more information on this free incident handling, > management > and tracking system please see: http://aris.securityfocus.com > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu May 08 2003 - 14:43:49 PDT