I'm sorry, the archive was meant for the people who had wanted to decompile the r_bot.dll IRC bot. I have already determined that it was not a rootkit... as to the logs, those were the only logs, as IIS was only running for those days, oddly enough. I have, using some slightly convoluted methods, determined that the attack originated through an old IIS box that the system administrator was not aware of. The attacker used that box, using double decode, to add himself an account on a terminal server box, upon which he then proceded to install the botkit, and some other utilities. Nick Jacobsen ----- Original Message ----- From: "Harlan Carvey" <keydet89at_private> To: <incidentsat_private> Sent: Thursday, April 03, 2003 5:14 PM Subject: Re: Logon.dll? Possible root-kit? > Nick, > > I downloaded the archive and went through it. > Unfortunately, none of the information I asked about > was in the archive...Registry keys, results of > fport.exe, etc. > > Also, the web logs you included in the archive seem to > be selected for a specific reason. Why is that? What > did you expect them to show? One shows a failed Nimda > scan. > > At this point, I don't know that decompiling the DLLs > are going to do much in the way of helping figure out > how this occurred, and what to do to prevent it in the > future. > > Good luck > > > --- Nick Jacobsen <nickat_private> wrote: > > Ok here is link to a rar of the suspected files: > > http://www.ethicsdesign.com/HackLog.rar > > > > As some of you said, it looks like there is not a > > rootkit installed, and it > > looks like this was an attempt at making this box > > join a botnet. A kindly > > IRCOp has offered to both decompile the bot dll, and > > to remove the offending > > channel (#thallia), so that is taken care of. > > Anyway, I did manage to > > convince my clients that this was serious enough to > > warant a wipe of the > > data on the machine. I am waiting to see what your > > analysis of these files > > are. > > > > Thank You, > > Nick Jacobsen > > nickat_private > > > > > > > -------------------------------------------------------------------------- -- > > Powerful Anti-Spam Management and More... > > SurfControl E-mail Filter puts the brakes on spam, > > viruses and malicious code. Safeguard your business > > critical communications. Download a free 30-day > > trial: > > http://www.securityfocus.com/SurfControl-incidents > > > > > __________________________________________________ > Do you Yahoo!? > Yahoo! Tax Center - File online, calculators, forms, and more > http://tax.yahoo.com ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
This archive was generated by hypermail 2b30 : Fri Apr 04 2003 - 16:40:17 PST