RE: Logon.dll? Possible root-kit?

From: Amarante, Rodrigo P. (RPAmarante@directvla.com)
Date: 04/03/03

  • Next message: Mike Mills: "UDP scans from AOL NS boxes?"
    Date: Thu, 3 Apr 2003 10:13:59 -0500
    From: "Amarante, Rodrigo P." <RPAmarante@directvla.com>
    To: "Nick Jacobsen" <nick@ethicsdesign.com>, <incidents@securityfocus.com>
    

    Logon.dll is normally a protocol parser for the R_Logon (Generated RPC
    for interface logon) protocol. It's normally installed along with the
    Windows Network Monitor. It's normally located in
    winnt\system32\netmon\parsers and is made by microsoft. So, by being in
    winnt\system32 and not from MS, might indicate that a 3rd party network
    monitor has been installed...
    Also, the reason why inetsrv doesn't show up it's because IIS actually
    runs as inetinfo.exe
    On the bot itself, I have not seen it before.
    Did your client give a reason for not reinstalling everything? It seems
    obvious to me that if a IRC bot is running on your machine, the system
    has been compromised (even if by a rogue admin)...

    -----Original Message-----
    From: Nick Jacobsen [mailto:nick@ethicsdesign.com]
    Sent: Wednesday, April 02, 2003 9:10 PM
    To: incidents@securityfocus.com

    Hi all, hoping someone can point me in the right direction.
        I usually do penetration testing, but one of my clients had someone,
    they suspect a past employee, break into their network. I didn't get
    called
    in till well after the incident, and they did not have any logs from the
    time of the incident. Now, I have found two extremely odd things...
    One, a
    file called logon.dll in the winnt\system32 directory, that was NOT made
    by
    microsoft, and two, that inetsrv (internet information services) does
    not
    show up in the process list, though it is running. BTW, this is a
    windows
    2000 box. I have advised this client to wipe the box and restore from a
    ghost image, but they are not willing to. I guess my question is for
    any
    possible information on a root kit that could have been used againt this
    machine, as well as any tools you know about that may help me detect the
    rootkit.
        On a second note, I have discovered an IRC bot installed on this
    machine
    as well. The file name was r_bot.dll, and it connected to
    irc.choopa.net,
    channel #thallia, chan password "suckme"... have any of you run into
    this
    specific bot? if so, what commands does it support?

    Anyway, thanks in advance for your help.

    Nick Jacobsen
    Ethics Design
    nick@ethicsdesign.com

    ------------------------------------------------------------------------

    ----
    Powerful Anti-Spam Management and More...
    SurfControl E-mail Filter puts the brakes on spam,
    viruses and malicious code. Safeguard your business
    critical communications. Download a free 30-day trial:
    http://www.securityfocus.com/SurfControl-incidents
    ----------------------------------------------------------------------------
    Powerful Anti-Spam Management and More...
    SurfControl E-mail Filter puts the brakes on spam,
    viruses and malicious code. Safeguard your business
    critical communications. Download a free 30-day trial:
    http://www.securityfocus.com/SurfControl-incidents
    

  • Next message: Mike Mills: "UDP scans from AOL NS boxes?"

    Relevant Pages

    • Re: Network Monitoring question-please read
      ... > network, Like for example if people complain about network ... > huge traffic or who does what and give me high level info ...
      (microsoft.public.windows.server.networking)
    • Re: Network Monitoring question-please read
      ... > network, Like for example if people complain about network ... > huge traffic or who does what and give me high level info ...
      (microsoft.public.windows.server.networking)
    • Network Monitoring question-please read
      ... network, Like for example if people complain about network ... slowdown I can use this tool and see which nodes creating ... huge traffic or who does what and give me high level info ...
      (microsoft.public.windows.server.networking)