RE: root_drv.sys rootkit

From: Calder, James (EXP) (james.calder_at_lmco.com)
Date: 11/08/04

Next message: Roy Morris: "RE: root_drv.sys rootkit"

Previous message: Dennis Dimka: "RE: root_drv.sys rootkit"
Maybe in reply to: Llistes Diverses: "root_drv.sys rootkit"
Next in thread: Roy Morris: "RE: root_drv.sys rootkit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 08 Nov 2004 15:42:42 -0500
To: Llistes Diverses <deixalles@gmail.com>, focus-ms@securityfocus.com

This root_drv.sys in the one file you found. What about the files you
didn't find.

If it's been rooted, the only sure way to make sure you get rid of
everything is to do a fresh install.

-----Original Message-----
From: Llistes Diverses [mailto:deixalles@gmail.com]
Sent: November 8, 2004 2:03 PM
To: focus-ms@securityfocus.com
Subject: root_drv.sys rootkit

Hello all,

I have a Windows 2003 Web Edition Server that has been compromised due
to some big mistakes of us. The question is that now this server have a
rootkit installed. It contains some complex configuration and i would
like sooo much to be able to keep the server without reinstall !!

The rootkit is loaded from C:\winnt\system32\root_drv.sys (i can see it
running with TaskInfo2003). File is hidden and can't be seen within
windows at user level, but i'm able to see and remove file from a linux
box with samba. So i remove the file, i remove whole dllcache and i
reboot system. But root_drv is back there again and running !! Any clue
where is that rootkit backed up and/or how can i remove it !! Any idea
which rootkit is that and where can i find some info about?

Help me please!!
Thany you all!

BR,
Xavi.

------------------------------------------------------------------------

---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------

Next message: Roy Morris: "RE: root_drv.sys rootkit"

Previous message: Dennis Dimka: "RE: root_drv.sys rootkit"
Maybe in reply to: Llistes Diverses: "root_drv.sys rootkit"
Next in thread: Roy Morris: "RE: root_drv.sys rootkit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

root_drv.sys rootkit
... I have a Windows 2003 Web Edition Server that has been compromised due ... to some big mistakes of us. ... The question is that now this server have a rootkit installed. ...
(Focus-Microsoft)
Re: Server hacked?
... There seems to be some kind of rootkit running on your server. ... Active Internet connections ...
(Ubuntu)
Re: exploit or human
... so on) while some other software runs just fine makes the rootkit ... the hdd from the possibly compromised machine, ... before making any server accessible from the Internet. ... What is interesting is that this hard-disk failure ...
(Incidents)
Re: w3k server
... I would check out the rootkit tool from http://www.sysinternals.com there ... >> You don't clean rootkits. ... >>> I am convinced my server has been compromised. ... >>> its registry entries and files. ...
(microsoft.public.windows.server.general)
Re: User access & security
... rootkit of some sort and totally compromise the system. ... or the root account has no password because it's to hard to type the ... server - must be OK!" ...
(comp.os.linux.security)