I'm thinking that you have a hell of a problem on your hands. The box is clearly (from what you've said) compromised, and the client is going to have to bite the bullet and wipe/reinstall if they ever want to be sure that they've contained the breach. What else can you tell us about logon.dll, and about the irc bot? Can you find the files associated with it using fport? And is logon.dll being used, perhaps, as an alternate GINA? Finally, what ports are open (inbound, through the firewall) to this box? -----Original Message----- From: Nick Jacobsen [mailto:nickat_private] Sent: Wednesday, April 02, 2003 9:10 PM To: incidentsat_private Subject: Logon.dll? Possible root-kit? Hi all, hoping someone can point me in the right direction. I usually do penetration testing, but one of my clients had someone, they suspect a past employee, break into their network. I didn't get called in till well after the incident, and they did not have any logs from the time of the incident. Now, I have found two extremely odd things... One, a file called logon.dll in the winnt\system32 directory, that was NOT made by microsoft, and two, that inetsrv (internet information services) does not show up in the process list, though it is running. BTW, this is a windows 2000 box. I have advised this client to wipe the box and restore from a ghost image, but they are not willing to. I guess my question is for any possible information on a root kit that could have been used againt this machine, as well as any tools you know about that may help me detect the rootkit. On a second note, I have discovered an IRC bot installed on this machine as well. The file name was r_bot.dll, and it connected to irc.choopa.net, channel #thallia, chan password "suckme"... have any of you run into this specific bot? if so, what commands does it support? Anyway, thanks in advance for your help. Nick Jacobsen Ethics Design nickat_private ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
This archive was generated by hypermail 2b30 : Thu Apr 03 2003 - 16:45:29 PST