I will be packaging all the suspect files I find into a rar and putting them on my site. Should be sometime tomarrow morning. At that time, I'll go ahead and send a link to them. Thanks for the help with offers to RE them... Nick Jacobsen Ethics Design nickat_private ----- Original Message ----- From: "Exurity Debugs" <exbugsat_private> To: "Nick Jacobsen" <nickat_private> Sent: Wednesday, April 02, 2003 8:24 PM Subject: RE: Logon.dll? Possible root-kit? > Could you get a copy of them and kindly send to me to reverse? > > Peter Huang > http://members.rogers.com/exurity/ > Executable Security > > -----Original Message----- > From: Nick Jacobsen [mailto:nickat_private] > Sent: Wednesday, April 02, 2003 9:10 PM > To: incidentsat_private > Subject: Logon.dll? Possible root-kit? > > Hi all, hoping someone can point me in the right direction. > I usually do penetration testing, but one of my clients had someone, > they suspect a past employee, break into their network. I didn't get called > in till well after the incident, and they did not have any logs from the > time of the incident. Now, I have found two extremely odd things... One, a > file called logon.dll in the winnt\system32 directory, that was NOT made by > microsoft, and two, that inetsrv (internet information services) does not > show up in the process list, though it is running. BTW, this is a windows > 2000 box. I have advised this client to wipe the box and restore from a > ghost image, but they are not willing to. I guess my question is for any > possible information on a root kit that could have been used againt this > machine, as well as any tools you know about that may help me detect the > rootkit. > On a second note, I have discovered an IRC bot installed on this machine > as well. The file name was r_bot.dll, and it connected to irc.choopa.net, > channel #thallia, chan password "suckme"... have any of you run into this > specific bot? if so, what commands does it support? > > Anyway, thanks in advance for your help. > > Nick Jacobsen > Ethics Design > nickat_private > > > -------------------------------------------------------------------------- -- > Powerful Anti-Spam Management and More... > SurfControl E-mail Filter puts the brakes on spam, > viruses and malicious code. Safeguard your business > critical communications. Download a free 30-day trial: > http://www.securityfocus.com/SurfControl-incidents > ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
This archive was generated by hypermail 2b30 : Thu Apr 03 2003 - 16:30:07 PST