Logon.dll and dir.dll are just serv-u's motd/dir change files.. MsCtrl32ocx.ocx is the conf (open it in wordpad) Su.exe and explorer.exe are both serv-u (rooted by 2 different people?).. All the DWRC* and DNTUS26.exe is dameware (dameware.com) The batch files were probably run as services I'd be willing to bet the ranch that the hacked box had a null or weak admin pass... probably on a fast line aswell seeing it was being used as a pub warez box .. look in c:\winnt\system32\spool\drivers\color\ You'll find your warez there Bot.dll is packed with upx, after decompressing it and takin a look there is atleast 3 references to 3 different ircd's .. and version reply TircClient OpenSource component 2.0 by G.Timmons: http://shadeline.hypermart.net/index.html -----Original Message----- From: Nick Jacobsen [mailto:nickat_private] Sent: Thursday, April 03, 2003 3:43 PM To: incidentsat_private Subject: Re: Logon.dll? Possible root-kit? Ok here is link to a rar of the suspected files: http://www.ethicsdesign.com/HackLog.rar As some of you said, it looks like there is not a rootkit installed, and it looks like this was an attempt at making this box join a botnet. A kindly IRCOp has offered to both decompile the bot dll, and to remove the offending channel (#thallia), so that is taken care of. Anyway, I did manage to convince my clients that this was serious enough to warant a wipe of the data on the machine. I am waiting to see what your analysis of these files are. Thank You, Nick Jacobsen nickat_private ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
This archive was generated by hypermail 2b30 : Fri Apr 04 2003 - 16:44:08 PST