RE: root_drv.sys rootkit
From: Roy Morris (rmorris_at_internetsecure.com)
Date: 11/08/04
- Previous message: Calder, James (EXP): "RE: root_drv.sys rootkit"
- Maybe in reply to: Llistes Diverses: "root_drv.sys rootkit"
- Next in thread: Ryan Parrish: "Re: root_drv.sys rootkit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 8 Nov 2004 16:33:10 -0500 To: "Dennis Dimka" <dennis.dimka@manna.com>, "Llistes Diverses" <deixalles@gmail.com>, <focus-ms@securityfocus.com>
You should completely remove the machine, and carefully audit all other machines it interacts with.
> -----Original Message-----
> From: Dennis Dimka [mailto:dennis.dimka@manna.com]
> Sent: November 8, 2004 3:41 PM
> To: 'Llistes Diverses'; focus-ms@securityfocus.com
> Subject: RE: root_drv.sys rootkit
>
>
> Search for a reference to it in the registry, AND search for files
> containing the text "root_drv.sys".
>
> Once you've cleaned it, you should also run a port scan
> against this machine
> to find any other listening ports on that box (accomplished
> attackers will
> put more than one on a box, should the admin find one).
>
> And of course--your firewall should ONLY allow in port 80, and (if
> necessary) 21, 25, etc. Outbound connections should only be
> allowed if
> established--this severely limits what an attacker's rootkit
> can do when
> installed.
>
> -----Original Message-----
> From: Llistes Diverses [mailto:deixalles@gmail.com]
> Sent: Monday, November 08, 2004 1:03 PM
> To: focus-ms@securityfocus.com
> Subject: root_drv.sys rootkit
>
> Hello all,
>
> I have a Windows 2003 Web Edition Server that has been compromised due
> to some big mistakes of us.
> The question is that now this server have a rootkit installed. It
> contains some complex configuration and i would like sooo much to be
> able to keep the server without reinstall !!
>
> The rootkit is loaded from C:\winnt\system32\root_drv.sys (i can see
> it running with TaskInfo2003).
> File is hidden and can't be seen within windows at user level, but i'm
> able to see and remove file from a linux box with samba.
> So i remove the file, i remove whole dllcache and i reboot system. But
> root_drv is back there again and running !!
> Any clue where is that rootkit backed up and/or how can i remove it !!
> Any idea which rootkit is that and where can i find some info about?
>
> Help me please!!
> Thany you all!
>
> BR,
> Xavi.
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>
>
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Calder, James (EXP): "RE: root_drv.sys rootkit"
- Maybe in reply to: Llistes Diverses: "root_drv.sys rootkit"
- Next in thread: Ryan Parrish: "Re: root_drv.sys rootkit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
