Basically the box was locking up. I logged into it and noticed the patch level was way behind, I immediately became suspicious and Port scanned it, sure enough there was an FXP daemon listening on PORT 444, from there I ran FPORT to determine the name of the file that was listening on 444 it was secsrvc.exe, that's where I hit the brick wall, because secsrvc.exe didn't exist, then just for kicks I did some reading about NT rootkits and tried the 'rename' trick. So I renamed a file secsrvc, and it vanished. Then I ascertained that something must be hiding files with that extension from various parts of my system, so I made a new copy of regedit, taskmgr and cmd all with the prefix secsrvr (secsrvrregedit.exe) then I was able to see everything that was affected, it installed itself as two services, one was called XGA and the other one was called 'Secure Routing'. Both obvious shams. -----Original Message----- From: Harlan Carvey [mailto:keydet89at_private] Sent: Thursday, June 12, 2003 7:34 PM To: drewat_private Subject: re: Windows 2k rootkit incident Drew, Can you elaborate on what made you suspicious about this particular rooted box, and what you did to find the files in question? It looks like some of the files are renamed MS files...for example, mfxp_sperm.exe is xcalcs.exe. It also looks as if psloglist and psinfo are included either in the rootkit, or you ran them to provide information...w/o some kind of explanation, it really isn't clear. This does look like HackerDefender was used...any idea how it got there? Thanks for the time, Harlan __________________________________ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Jun 13 2003 - 13:29:54 PDT