Re: Logon.dll? Possible root-kit?

• Previous message: Harlan Carvey: "Re: Logon.dll? Possible root-kit?"
• Maybe in reply to: Nick Jacobsen: "Logon.dll? Possible root-kit?"
• Next in thread: Harlan Carvey: "Re: Logon.dll? Possible root-kit?"
• Next in thread: Nick Jacobsen: "Re: Logon.dll? Possible root-kit?"
• Reply: Harlan Carvey: "Re: Logon.dll? Possible root-kit?"
• Reply: Rob Shein: "RE: Logon.dll? Possible root-kit?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ok here is link to a rar of the suspected files:
    http://www.ethicsdesign.com/HackLog.rar

As some of you said, it looks like there is not a rootkit installed, and it
looks like this was an attempt at making this box join a botnet.  A kindly
IRCOp has offered to both decompile the bot dll, and to remove the offending
channel (#thallia), so that is taken care of.  Anyway, I did manage to
convince my clients that this was serious enough to warant a wipe of the
data on the machine.  I am waiting to see what your analysis of these files
are.

Thank You,
Nick Jacobsen
nickat_private


----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents

• Next message: Joshua Wright: "RE: UDP traffic to net and broadcast addresses"
• Previous message: Harlan Carvey: "Re: Logon.dll? Possible root-kit?"
• Maybe in reply to: Nick Jacobsen: "Logon.dll? Possible root-kit?"
• Next in thread: Harlan Carvey: "Re: Logon.dll? Possible root-kit?"
• Next in thread: Nick Jacobsen: "Re: Logon.dll? Possible root-kit?"
• Reply: Harlan Carvey: "Re: Logon.dll? Possible root-kit?"
• Reply: Rob Shein: "RE: Logon.dll? Possible root-kit?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Apr 03 2003 - 16:49:26 PST