RE: root_drv.sys rootkit

From: Roy Morris (rmorris_at_internetsecure.com)
Date: 11/08/04

  • Next message: Craig Paterson: "Re: root_drv.sys rootkit"
    Date: Mon, 8 Nov 2004 16:33:10 -0500
    To: "Dennis Dimka" <dennis.dimka@manna.com>, "Llistes Diverses" <deixalles@gmail.com>, <focus-ms@securityfocus.com>
    
    

    You should completely remove the machine, and carefully audit all other machines it interacts with.

    > -----Original Message-----
    > From: Dennis Dimka [mailto:dennis.dimka@manna.com]
    > Sent: November 8, 2004 3:41 PM
    > To: 'Llistes Diverses'; focus-ms@securityfocus.com
    > Subject: RE: root_drv.sys rootkit
    >
    >
    > Search for a reference to it in the registry, AND search for files
    > containing the text "root_drv.sys".
    >
    > Once you've cleaned it, you should also run a port scan
    > against this machine
    > to find any other listening ports on that box (accomplished
    > attackers will
    > put more than one on a box, should the admin find one).
    >
    > And of course--your firewall should ONLY allow in port 80, and (if
    > necessary) 21, 25, etc. Outbound connections should only be
    > allowed if
    > established--this severely limits what an attacker's rootkit
    > can do when
    > installed.
    >
    > -----Original Message-----
    > From: Llistes Diverses [mailto:deixalles@gmail.com]
    > Sent: Monday, November 08, 2004 1:03 PM
    > To: focus-ms@securityfocus.com
    > Subject: root_drv.sys rootkit
    >
    > Hello all,
    >
    > I have a Windows 2003 Web Edition Server that has been compromised due
    > to some big mistakes of us.
    > The question is that now this server have a rootkit installed. It
    > contains some complex configuration and i would like sooo much to be
    > able to keep the server without reinstall !!
    >
    > The rootkit is loaded from C:\winnt\system32\root_drv.sys (i can see
    > it running with TaskInfo2003).
    > File is hidden and can't be seen within windows at user level, but i'm
    > able to see and remove file from a linux box with samba.
    > So i remove the file, i remove whole dllcache and i reboot system. But
    > root_drv is back there again and running !!
    > Any clue where is that rootkit backed up and/or how can i remove it !!
    > Any idea which rootkit is that and where can i find some info about?
    >
    > Help me please!!
    > Thany you all!
    >
    > BR,
    > Xavi.
    >
    > --------------------------------------------------------------
    > -------------
    > --------------------------------------------------------------
    > -------------
    >
    > --------------------------------------------------------------
    > -------------
    > --------------------------------------------------------------
    > -------------
    >
    >

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Craig Paterson: "Re: root_drv.sys rootkit"

    Relevant Pages

    • root_drv.sys rootkit
      ... I have a Windows 2003 Web Edition Server that has been compromised due ... to some big mistakes of us. ... The question is that now this server have a rootkit installed. ...
      (Focus-Microsoft)
    • RE: root_drv.sys rootkit
      ... everything is to do a fresh install. ... Subject: root_drv.sys rootkit ... I have a Windows 2003 Web Edition Server that has been compromised due ...
      (Focus-Microsoft)
    • RE: root_drv.sys rootkit
      ... you should also run a port scan against this machine ... Subject: root_drv.sys rootkit ... I have a Windows 2003 Web Edition Server that has been compromised due ... The question is that now this server have a rootkit installed. ...
      (Focus-Microsoft)
    • Re: WINSRV32.exe
      ... > Do we have a Check RootKit for windows. ... > I did find a psexec.exe file on my Windows 2000 Server and have deleted ... srvany is a valid one if you set it up from the NT ...
      (microsoft.public.win2000.security)
    • [REVS] Analysis of a win32 Userland Rootkit
      ... Userland rootkit for Microsoft Windows. ... The hook is able to provide the fastest injection of the DLL into target ... and a real taste for circular double-linked lists. ...
      (Securiteam)