RE: root_drv.sys rootkit

From: Dennis Dimka (dennis.dimka_at_manna.com)
Date: 11/08/04

  • Next message: Calder, James (EXP): "RE: root_drv.sys rootkit" 
    To: 'Llistes Diverses' <deixalles@gmail.com>, focus-ms@securityfocus.com
Date: Mon, 8 Nov 2004 14:40:55 -0600

    Search for a reference to it in the registry, AND search for files
    containing the text "root_drv.sys".

    Once you've cleaned it, you should also run a port scan against this machine
    to find any other listening ports on that box (accomplished attackers will
    put more than one on a box, should the admin find one).

    And of course--your firewall should ONLY allow in port 80, and (if
    necessary) 21, 25, etc. Outbound connections should only be allowed if
    established--this severely limits what an attacker's rootkit can do when
    installed.

    -----Original Message-----
    From: Llistes Diverses [mailto:deixalles@gmail.com]
    Sent: Monday, November 08, 2004 1:03 PM
    To: focus-ms@securityfocus.com
    Subject: root_drv.sys rootkit

    Hello all,

    I have a Windows 2003 Web Edition Server that has been compromised due
    to some big mistakes of us.
    The question is that now this server have a rootkit installed. It
    contains some complex configuration and i would like sooo much to be
    able to keep the server without reinstall !!

    The rootkit is loaded from C:\winnt\system32\root_drv.sys (i can see
    it running with TaskInfo2003).
    File is hidden and can't be seen within windows at user level, but i'm
    able to see and remove file from a linux box with samba.
    So i remove the file, i remove whole dllcache and i reboot system. But
    root_drv is back there again and running !!
    Any clue where is that rootkit backed up and/or how can i remove it !!
    Any idea which rootkit is that and where can i find some info about?

    Help me please!!
    Thany you all!

    BR,
    Xavi.

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Calder, James (EXP): "RE: root_drv.sys rootkit"

    Relevant Pages

    • RE: root_drv.sys rootkit
      ... > to find any other listening ports on that box (accomplished ... > I have a Windows 2003 Web Edition Server that has been compromised due ... > The question is that now this server have a rootkit installed. ...
      (Focus-Microsoft)
    • root_drv.sys rootkit
      ... I have a Windows 2003 Web Edition Server that has been compromised due ... to some big mistakes of us. ... The question is that now this server have a rootkit installed. ...
      (Focus-Microsoft)
    • Re: [fw-wiz] FW: OT? New compromise.
      ... If you suspect you have a rootkit, it shouldn't be that hard to find it, ... depending on whether you can shut down any of these boxes and run Knoppix ... Port 1863 is the port for Microsoft's Instant Messenger client ...
      (Firewall-Wizards)
    • RE: root_drv.sys rootkit
      ... everything is to do a fresh install. ... Subject: root_drv.sys rootkit ... I have a Windows 2003 Web Edition Server that has been compromised due ...
      (Focus-Microsoft)
    • Re: [Full-Disclosure] Removing ShKit Root Kit
      ... >"Searching for ShKit rootkit default files and dirs... ... ethernet port and run netstat -tupan on the server. ... server level security. ...
      (Full-Disclosure)