RE: Logon.dll? Possible root-kit?

From: Jason Pagano (JPAGANO@orthonet-online.com)
Date: Fri Apr 04 2003 - 05:40:32 PST

Next message: Neil Dickey: "Re: SMTP probes"

Previous message: Rob Shein: "RE: Logon.dll? Possible root-kit?"
Maybe in reply to: Nick Jacobsen: "Logon.dll? Possible root-kit?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Logon.dll and dir.dll are just serv-u's motd/dir change files..
MsCtrl32ocx.ocx is the conf (open it in wordpad)
Su.exe and explorer.exe are both serv-u (rooted by 2 different people?).. 
All the DWRC* and DNTUS26.exe is dameware (dameware.com)
The batch files were probably run as services
I'd be willing to bet the ranch that the hacked box had a null or weak admin
pass... probably on a fast line aswell seeing it was being used as a pub
warez box .. look in c:\winnt\system32\spool\drivers\color\
You'll find your warez there
Bot.dll is packed with upx, after decompressing it and takin a look there is
atleast 3 references to 3 different ircd's .. and version reply 
TircClient OpenSource component 2.0 by G.Timmons:
http://shadeline.hypermart.net/index.html 

-----Original Message-----
From: Nick Jacobsen [mailto:nickat_private] 
Sent: Thursday, April 03, 2003 3:43 PM
To: incidentsat_private
Subject: Re: Logon.dll? Possible root-kit?

Ok here is link to a rar of the suspected files:
    http://www.ethicsdesign.com/HackLog.rar

As some of you said, it looks like there is not a rootkit installed, and it
looks like this was an attempt at making this box join a botnet.  A kindly
IRCOp has offered to both decompile the bot dll, and to remove the offending
channel (#thallia), so that is taken care of.  Anyway, I did manage to
convince my clients that this was serious enough to warant a wipe of the
data on the machine.  I am waiting to see what your analysis of these files
are.

Thank You,
Nick Jacobsen
nickat_private


----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents

----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents

Next message: Neil Dickey: "Re: SMTP probes"
Previous message: Rob Shein: "RE: Logon.dll? Possible root-kit?"
Maybe in reply to: Nick Jacobsen: "Logon.dll? Possible root-kit?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 04 2003 - 16:44:08 PST