Logon.dll? Possible root-kit?

From: Nick Jacobsen (nick@ethicsdesign.com)
Date: 04/03/03

  • Next message: Jeff Lane: "Increase of attempts on port 635 in last couple days"
    From: "Nick Jacobsen" <nick@ethicsdesign.com>
    To: <incidents@securityfocus.com>
    Date: Wed, 2 Apr 2003 18:09:47 -0800
    
    

    Hi all, hoping someone can point me in the right direction.
        I usually do penetration testing, but one of my clients had someone,
    they suspect a past employee, break into their network. I didn't get called
    in till well after the incident, and they did not have any logs from the
    time of the incident. Now, I have found two extremely odd things... One, a
    file called logon.dll in the winnt\system32 directory, that was NOT made by
    microsoft, and two, that inetsrv (internet information services) does not
    show up in the process list, though it is running. BTW, this is a windows
    2000 box. I have advised this client to wipe the box and restore from a
    ghost image, but they are not willing to. I guess my question is for any
    possible information on a root kit that could have been used againt this
    machine, as well as any tools you know about that may help me detect the
    rootkit.
        On a second note, I have discovered an IRC bot installed on this machine
    as well. The file name was r_bot.dll, and it connected to irc.choopa.net,
    channel #thallia, chan password "suckme"... have any of you run into this
    specific bot? if so, what commands does it support?

    Anyway, thanks in advance for your help.

    Nick Jacobsen
    Ethics Design
    nick@ethicsdesign.com

    ----------------------------------------------------------------------------
    Powerful Anti-Spam Management and More...
    SurfControl E-mail Filter puts the brakes on spam,
    viruses and malicious code. Safeguard your business
    critical communications. Download a free 30-day trial:
    http://www.securityfocus.com/SurfControl-incidents


  • Next message: Jeff Lane: "Increase of attempts on port 635 in last couple days"

    Relevant Pages

    • Belize robbery
      ... Since you have clients traveling to western Belize with us in the ... had clients staying at Blancaneaux Lodge who went on a guided tour ... this was the first time such an incident ever occurred ... the safety of guests is their top priority. ...
      (rec.travel.cruises)
    • Belize robbery
      ... Since you have clients traveling to western Belize with us in the ... had clients staying at Blancaneaux Lodge who went on a guided tour ... this was the first time such an incident ever occurred ... the safety of guests is their top priority. ...
      (rec.scuba.locations)
    • Re: christian view on homosexuality and transsexualism
      ... I have two clients, who each claim to have been raped thousands of times ... in SRA groups (I believe them by the way - I won't go into the ... See, if there was *one* incident, some long time ... is a rather different matter. ...
      (soc.religion.christian)