RE: root_drv.sys rootkit

From: Renouf, Phil (Phil.Renouf_at_tdsecurities.com)
Date: 11/08/04

  • Next message: Dennis Dimka: "RE: root_drv.sys rootkit" 
    Date: Mon, 8 Nov 2004 15:38:02 -0500
To: "Llistes Diverses" <deixalles@gmail.com>, <focus-ms@securityfocus.com>

    Rebuild the server, you will never know if you have gotten everything
    that was done to that box, even if you get rid of the rootkit.

    Unplug the box, document the configuration (if it hasn't already been
    done), rebuild the server and document the build and configuration
    process in detail, make sure you have patched the holes that were used
    to compromise it in the first place, then plug it back in.

    Phil

    -----Original Message-----
    From: Llistes Diverses [mailto:deixalles@gmail.com]
    Sent: Monday, November 08, 2004 2:03 PM
    To: focus-ms@securityfocus.com
    Subject: root_drv.sys rootkit

    Hello all,

    I have a Windows 2003 Web Edition Server that has been compromised due
    to some big mistakes of us.
    The question is that now this server have a rootkit installed. It
    contains some complex configuration and i would like sooo much to be
    able to keep the server without reinstall !!

    The rootkit is loaded from C:\winnt\system32\root_drv.sys (i can see it
    running with TaskInfo2003).
    File is hidden and can't be seen within windows at user level, but i'm
    able to see and remove file from a linux box with samba.
    So i remove the file, i remove whole dllcache and i reboot system. But
    root_drv is back there again and running !!
    Any clue where is that rootkit backed up and/or how can i remove it !!
    Any idea which rootkit is that and where can i find some info about?

    Help me please!!
    Thany you all!

    BR,
    Xavi.

    ------------------------------------------------------------------------ 

    ---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Dennis Dimka: "RE: root_drv.sys rootkit"

    Relevant Pages

    • Re: Server hacked?
      ... There seems to be some kind of rootkit running on your server. ... Active Internet connections ...
      (Ubuntu)
    • Re: exploit or human
      ... so on) while some other software runs just fine makes the rootkit ... the hdd from the possibly compromised machine, ... before making any server accessible from the Internet. ... What is interesting is that this hard-disk failure ...
      (Incidents)
    • Re: w3k server
      ... I would check out the rootkit tool from http://www.sysinternals.com there ... >> You don't clean rootkits. ... >>> I am convinced my server has been compromised. ... >>> its registry entries and files. ...
      (microsoft.public.windows.server.general)
    • RE: root_drv.sys rootkit
      ... > to find any other listening ports on that box (accomplished ... > I have a Windows 2003 Web Edition Server that has been compromised due ... > The question is that now this server have a rootkit installed. ...
      (Focus-Microsoft)
    • Re: User access & security
      ... rootkit of some sort and totally compromise the system. ... or the root account has no password because it's to hard to type the ... server - must be OK!" ...
      (comp.os.linux.security)