Re: root_drv.sys rootkit

From: Craig Paterson (
Date: 11/08/04

  • Next message: Ryan Parrish: "Re: root_drv.sys rootkit"
    Date: Mon, 08 Nov 2004 13:36:47 -0800
    To: Dennis Dimka <>

    Dennis Dimka wrote:

    >Once you've cleaned it, you should also run a port scan against this machine
    >to find any other listening ports on that box (accomplished attackers will
    >put more than one on a box, should the admin find one).

    Also bear in mind that if they're (rootkit authors) good, the ports
    they're using won't necessarily show up in an nmap because the listening
    process will only respond to some specific client addresses, or uses
    port knocking to verify the client, etc...

    As everyone else says, rebuilding is the only way to be sure.



  • Next message: Ryan Parrish: "Re: root_drv.sys rootkit"

    Relevant Pages

    • Re: remote desktop
      ... > lan 5 computers running XP Pro with remote desktop enabled, ... Can I change the listening ports on the others, ... Foward TCP 3389 to ...
    • Re: Ports open closed.? and timeouts
      ... established connections and listening ports eg software on the server ... netstat -ap |grep 1494 ... This tells me that the ports are not open. ... the router has to keep track. ...
    • Re: Localhost port scanner utility
      ... "Displays all connections and listening ports. ... What "server connections" does this refer to? ... > the open port to a process. ...
    • Re: Security scan reveals open ports????
      ... listening ports with the process id using the port. ... Manager, Processes tab, use the pid value to locate what the process is ... > Our security admin just brought me a Nessus scan report from an XP Pro box ...
    • Re: Question abut threads
      ... I dont have any particular reason for 8 ports except that I have 8 clients ... TcpClient client = listener.AcceptTcpClient; ... encodings it would be. ... StringBuilder to accumulate the string, ...