Re: root_drv.sys rootkit

From: Ryan Parrish (RyanP_at_foxracing.com)
Date: 11/08/04

  • Next message: fIrestOrm: "Supported products in Windows Security Center (WSC)"
    Date: Mon, 8 Nov 2004 13:44:57 -0800
    To: <dennis.dimka@manna.com>, <deixalles@gmail.com>, <focus-ms@securityfocus.com>
    
    

    If it is a good kit like 'hacker defender', that will not be good enough.
    It is not common, but not uncommon for a hacker to install two kits, one that may activate at a latter date.

    Unless you have a file integerity database like tripwire, you need to rebuild. Even a system restore from backup is not good enough, because do you know the exact date you where hacked?

    Reinstall the sysem, sorry. :-(
    _-`-_-`-_-`-_-`-_-`-_-`-_-`-_-`-_-`-_

    Ryan Parrish
    ryanp@foxracing.com
    IT Dept.
    408-776-8633 extension 1229
    Please direct all support questions to -
    (`..-> itsupport@foxracing.com

    _-`-_-`-_-`-_-`-_-`-_-`-_-`-_-`-_-`-_

    -----Original Message-----
    From: Dennis Dimka <dennis.dimka@manna.com>
    To: 'Llistes Diverses' <deixalles@gmail.com>; focus-ms@securityfocus.com <focus-ms@securityfocus.com>
    Sent: Mon Nov 08 12:40:55 2004
    Subject: RE: root_drv.sys rootkit

    Search for a reference to it in the registry, AND search for files
    containing the text "root_drv.sys".

    Once you've cleaned it, you should also run a port scan against this machine
    to find any other listening ports on that box (accomplished attackers will
    put more than one on a box, should the admin find one).

    And of course--your firewall should ONLY allow in port 80, and (if
    necessary) 21, 25, etc. Outbound connections should only be allowed if
    established--this severely limits what an attacker's rootkit can do when
    installed.

    -----Original Message-----
    From: Llistes Diverses [mailto:deixalles@gmail.com]
    Sent: Monday, November 08, 2004 1:03 PM
    To: focus-ms@securityfocus.com
    Subject: root_drv.sys rootkit

    Hello all,

    I have a Windows 2003 Web Edition Server that has been compromised due
    to some big mistakes of us.
    The question is that now this server have a rootkit installed. It
    contains some complex configuration and i would like sooo much to be
    able to keep the server without reinstall !!

    The rootkit is loaded from C:\winnt\system32\root_drv.sys (i can see
    it running with TaskInfo2003).
    File is hidden and can't be seen within windows at user level, but i'm
    able to see and remove file from a linux box with samba.
    So i remove the file, i remove whole dllcache and i reboot system. But
    root_drv is back there again and running !!
    Any clue where is that rootkit backed up and/or how can i remove it !!
    Any idea which rootkit is that and where can i find some info about?

    Help me please!!
    Thany you all!

    BR,
    Xavi.

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: fIrestOrm: "Supported products in Windows Security Center (WSC)"

    Relevant Pages

    • Re: Security Toolbar 7.1
      ... I've downloaded rootkit scanners for future ref. ... would be a major malware feature of this exact installtion. ... A rootkit is able to install many malwares - ... disables security software such as a " Security Software Disabler ...
      (microsoft.public.security)
    • Re: Security Toolbar 7.1
      ... If you have run some of the free home verions of antispyware the ... would be a major malware feature of this exact installtion. ... The other possibility is that it was installed by a rootkit in the ... A rootkit is able to install many malwares - ...
      (microsoft.public.security)
    • Re: Rooted
      ... I may have the Ambient rootkit and also 2 hidden processes. ... Here is why you need a FORMAT and clean install when your box IS cracked. ... That will tell you about known root kits if you have one. ... The cracker may not have installed a rootkit. ...
      (comp.os.linux.security)
    • Re: Do I have an infected init file?
      ... Now lets get to rootkit hunter config, ... install, meaning that from when i Installed via CD to this system in ... most importantly now,an 'unkown' version of something, wich is the way ... > Drew B. ...
      (FreeBSD-Security)
    • Re: rootkit question
      ... It cannot be "infected" but a rootkit can be installed. ... Once an attacker can login and breaks the super-user password, ... he can install a rootkit on the system and edit the system logs to hide his ... account that has no shell login and even run it in a chroot jail. ...
      (alt.os.linux)