Re: root_drv.sys rootkit

From: Ryan Parrish (RyanP_at_foxracing.com)
Date: 11/08/04

  • Next message: fIrestOrm: "Supported products in Windows Security Center (WSC)"
    Date: Mon, 8 Nov 2004 13:44:57 -0800
    To: <dennis.dimka@manna.com>, <deixalles@gmail.com>, <focus-ms@securityfocus.com>
    
    

    If it is a good kit like 'hacker defender', that will not be good enough.
    It is not common, but not uncommon for a hacker to install two kits, one that may activate at a latter date.

    Unless you have a file integerity database like tripwire, you need to rebuild. Even a system restore from backup is not good enough, because do you know the exact date you where hacked?

    Reinstall the sysem, sorry. :-(
    _-`-_-`-_-`-_-`-_-`-_-`-_-`-_-`-_-`-_

    Ryan Parrish
    ryanp@foxracing.com
    IT Dept.
    408-776-8633 extension 1229
    Please direct all support questions to -
    (`..-> itsupport@foxracing.com

    _-`-_-`-_-`-_-`-_-`-_-`-_-`-_-`-_-`-_

    -----Original Message-----
    From: Dennis Dimka <dennis.dimka@manna.com>
    To: 'Llistes Diverses' <deixalles@gmail.com>; focus-ms@securityfocus.com <focus-ms@securityfocus.com>
    Sent: Mon Nov 08 12:40:55 2004
    Subject: RE: root_drv.sys rootkit

    Search for a reference to it in the registry, AND search for files
    containing the text "root_drv.sys".

    Once you've cleaned it, you should also run a port scan against this machine
    to find any other listening ports on that box (accomplished attackers will
    put more than one on a box, should the admin find one).

    And of course--your firewall should ONLY allow in port 80, and (if
    necessary) 21, 25, etc. Outbound connections should only be allowed if
    established--this severely limits what an attacker's rootkit can do when
    installed.

    -----Original Message-----
    From: Llistes Diverses [mailto:deixalles@gmail.com]
    Sent: Monday, November 08, 2004 1:03 PM
    To: focus-ms@securityfocus.com
    Subject: root_drv.sys rootkit

    Hello all,

    I have a Windows 2003 Web Edition Server that has been compromised due
    to some big mistakes of us.
    The question is that now this server have a rootkit installed. It
    contains some complex configuration and i would like sooo much to be
    able to keep the server without reinstall !!

    The rootkit is loaded from C:\winnt\system32\root_drv.sys (i can see
    it running with TaskInfo2003).
    File is hidden and can't be seen within windows at user level, but i'm
    able to see and remove file from a linux box with samba.
    So i remove the file, i remove whole dllcache and i reboot system. But
    root_drv is back there again and running !!
    Any clue where is that rootkit backed up and/or how can i remove it !!
    Any idea which rootkit is that and where can i find some info about?

    Help me please!!
    Thany you all!

    BR,
    Xavi.

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: fIrestOrm: "Supported products in Windows Security Center (WSC)"