Nick, Couple of things... 1. The process that handles IIS is NOT "inetsrv", it's inetinfo.exe. 2. Did you check the file system to see if IIS really is installed? 3. Did you try pointing a browser (or even telnetting) to port 80 on the system to see what's running? 4. Did you run fport.exe from Foundstone? 5. I've checked several Win2K systems at work/home and haven't found logon.dll...can you zip up and send me a copy of this file, along with the EXE file that's accessing it, and any information regarding it's presence in the Registry? 6. You were pretty emphatic that the logon.dll file was not produced by Microsoft...how do you know this? 7. The IRC bot you found also requires an EXE file to access the DLL in some way...did you find any evidence of that? 8. If the client does not want to wipe/restore the system, then a comprehensive investigation of the system needs to be conducted. I would strongly suggest collecting information on processes, installed services and drivers, network connections, process-to-port mappings, etc. Once this information is collected, correlated and analyzied, you can put together a plan for not only getting the system into service, but also protecting it in the future. Another thing I'd strongly suggest looking at is the IIS logs (if IIS is installed), as well as any other available application logs. If you need any help or advice w/ this, please feel free to contact me. HTH, Harlan --- Nick Jacobsen <nickat_private> wrote: > Hi all, hoping someone can point me in the right > direction. > I usually do penetration testing, but one of my > clients had someone, > they suspect a past employee, break into their > network. I didn't get called > in till well after the incident, and they did not > have any logs from the > time of the incident. Now, I have found two > extremely odd things... One, a > file called logon.dll in the winnt\system32 > directory, that was NOT made by > microsoft, and two, that inetsrv (internet > information services) does not > show up in the process list, though it is running. > BTW, this is a windows > 2000 box. I have advised this client to wipe the > box and restore from a > ghost image, but they are not willing to. I guess > my question is for any > possible information on a root kit that could have > been used againt this > machine, as well as any tools you know about that > may help me detect the > rootkit. > On a second note, I have discovered an IRC bot > installed on this machine > as well. The file name was r_bot.dll, and it > connected to irc.choopa.net, > channel #thallia, chan password "suckme"... have > any of you run into this > specific bot? if so, what commands does it support? > > Anyway, thanks in advance for your help. > > Nick Jacobsen > Ethics Design > nickat_private > > > ---------------------------------------------------------------------------- > Powerful Anti-Spam Management and More... > SurfControl E-mail Filter puts the brakes on spam, > viruses and malicious code. Safeguard your business > critical communications. Download a free 30-day > trial: > http://www.securityfocus.com/SurfControl-incidents > __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - File online, calculators, forms, and more http://tax.yahoo.com ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
This archive was generated by hypermail 2b30 : Thu Apr 03 2003 - 16:48:04 PST