root_drv.sys rootkit

• Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #213"
• Next in thread: Renouf, Phil: "RE: root_drv.sys rootkit"
• Maybe reply: Renouf, Phil: "RE: root_drv.sys rootkit"
• Maybe reply: Dennis Dimka: "RE: root_drv.sys rootkit"
• Maybe reply: Calder, James (EXP): "RE: root_drv.sys rootkit"
• Maybe reply: Roy Morris: "RE: root_drv.sys rootkit"
• Maybe reply: Ryan Parrish: "Re: root_drv.sys rootkit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 8 Nov 2004 20:02:49 +0100
To: focus-ms@securityfocus.com

Hello all,

I have a Windows 2003 Web Edition Server that has been compromised due
to some big mistakes of us.
The question is that now this server have a rootkit installed. It
contains some complex configuration and i would like sooo much to be
able to keep the server without reinstall !!

The rootkit is loaded from C:\winnt\system32\root_drv.sys (i can see
it running with TaskInfo2003).
File is hidden and can't be seen within windows at user level, but i'm
able to see and remove file from a linux box with samba.
So i remove the file, i remove whole dllcache and i reboot system. But
root_drv is back there again and running !!
Any clue where is that rootkit backed up and/or how can i remove it !!
Any idea which rootkit is that and where can i find some info about?

Help me please!!
Thany you all!

BR,
Xavi.

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #213"
• Next in thread: Renouf, Phil: "RE: root_drv.sys rootkit"
• Maybe reply: Renouf, Phil: "RE: root_drv.sys rootkit"
• Maybe reply: Dennis Dimka: "RE: root_drv.sys rootkit"
• Maybe reply: Calder, James (EXP): "RE: root_drv.sys rootkit"
• Maybe reply: Roy Morris: "RE: root_drv.sys rootkit"
• Maybe reply: Ryan Parrish: "Re: root_drv.sys rootkit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Server hacked? ... There seems to be some kind of rootkit running on your server. ... Active Internet connections ... (Ubuntu) Re: exploit or human ... so on) while some other software runs just fine makes the rootkit ... the hdd from the possibly compromised machine, ... before making any server accessible from the Internet. ... What is interesting is that this hard-disk failure ... (Incidents) Re: w3k server ... I would check out the rootkit tool from http://www.sysinternals.com there ... >> You don't clean rootkits. ... >>> I am convinced my server has been compromised. ... >>> its registry entries and files. ... (microsoft.public.windows.server.general) RE: root_drv.sys rootkit ... > to find any other listening ports on that box (accomplished ... > I have a Windows 2003 Web Edition Server that has been compromised due ... > The question is that now this server have a rootkit installed. ... (Focus-Microsoft) Re: User access & security ... rootkit of some sort and totally compromise the system. ... or the root account has no password because it's to hard to type the ... server - must be OK!" ... (comp.os.linux.security)