root_drv.sys rootkit

From: Llistes Diverses (deixalles_at_gmail.com)
Date: 11/08/04

  • Next message: Renouf, Phil: "RE: root_drv.sys rootkit"
    Date: Mon, 8 Nov 2004 20:02:49 +0100
    To: focus-ms@securityfocus.com
    
    

    Hello all,

    I have a Windows 2003 Web Edition Server that has been compromised due
    to some big mistakes of us.
    The question is that now this server have a rootkit installed. It
    contains some complex configuration and i would like sooo much to be
    able to keep the server without reinstall !!

    The rootkit is loaded from C:\winnt\system32\root_drv.sys (i can see
    it running with TaskInfo2003).
    File is hidden and can't be seen within windows at user level, but i'm
    able to see and remove file from a linux box with samba.
    So i remove the file, i remove whole dllcache and i reboot system. But
    root_drv is back there again and running !!
    Any clue where is that rootkit backed up and/or how can i remove it !!
    Any idea which rootkit is that and where can i find some info about?

    Help me please!!
    Thany you all!

    BR,
    Xavi.

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Renouf, Phil: "RE: root_drv.sys rootkit"

    Relevant Pages

    • Re: Server hacked?
      ... There seems to be some kind of rootkit running on your server. ... Active Internet connections ...
      (Ubuntu)
    • Re: exploit or human
      ... so on) while some other software runs just fine makes the rootkit ... the hdd from the possibly compromised machine, ... before making any server accessible from the Internet. ... What is interesting is that this hard-disk failure ...
      (Incidents)
    • Re: w3k server
      ... I would check out the rootkit tool from http://www.sysinternals.com there ... >> You don't clean rootkits. ... >>> I am convinced my server has been compromised. ... >>> its registry entries and files. ...
      (microsoft.public.windows.server.general)
    • Re: User access & security
      ... rootkit of some sort and totally compromise the system. ... or the root account has no password because it's to hard to type the ... server - must be OK!" ...
      (comp.os.linux.security)
    • Re: User access & security
      ... rootkit of some sort and totally compromise the system. ... you want your users to be able to do (permissions permissions ... server - must be OK!" ...
      (comp.os.linux.security)