Re: root_drv.sys rootkit

From: Craig Paterson (craigp_at_tippett.com)
Date: 11/08/04

  • Next message: Ryan Parrish: "Re: root_drv.sys rootkit"
    Date: Mon, 08 Nov 2004 13:36:47 -0800
    To: Dennis Dimka <dennis.dimka@manna.com>
    
    

    Dennis Dimka wrote:

    >Once you've cleaned it, you should also run a port scan against this machine
    >to find any other listening ports on that box (accomplished attackers will
    >put more than one on a box, should the admin find one).
    >
    >

    Also bear in mind that if they're (rootkit authors) good, the ports
    they're using won't necessarily show up in an nmap because the listening
    process will only respond to some specific client addresses, or uses
    port knocking to verify the client, etc...

    As everyone else says, rebuilding is the only way to be sure.

    Craig.

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Ryan Parrish: "Re: root_drv.sys rootkit"