RE: Windows 2k rootkit incident

From: Drew Weaver (drew_at_orbityl.com)
Date: 06/13/03

  • Next message: Karl Larsson: "Re: Windows 2k rootkit incident, files zipped for your pleasure."
    To: "'Harlan Carvey'" <keydet89@yahoo.com>
    Date: Thu, 12 Jun 2003 19:47:58 -0400
    
    

    Basically the box was locking up. I logged into it and noticed the patch
    level was way behind, I immediately became suspicious and Port scanned
    it, sure enough there was an FXP daemon listening on PORT 444, from
    there I ran FPORT to determine the name of the file that was listening
    on 444 it was secsrvc.exe, that's where I hit the brick wall, because
    secsrvc.exe didn't exist, then just for kicks I did some reading about
    NT rootkits and tried the 'rename' trick. So I renamed a file secsrvc,
    and it vanished. Then I ascertained that something must be hiding files
    with that extension from various parts of my system, so I made a new
    copy of regedit, taskmgr and cmd all with the prefix secsrvr
    (secsrvrregedit.exe) then I was able to see everything that was
    affected, it installed itself as two services, one was called XGA and
    the other one was called 'Secure Routing'. Both obvious shams.

    -----Original Message-----
    From: Harlan Carvey [mailto:keydet89@yahoo.com]
    Sent: Thursday, June 12, 2003 7:34 PM
    To: drew@orbityl.com
    Subject: re: Windows 2k rootkit incident

    Drew,

    Can you elaborate on what made you suspicious about
    this particular rooted box, and what you did to find
    the files in question?

    It looks like some of the files are renamed MS
    files...for example, mfxp_sperm.exe is xcalcs.exe. It
    also looks as if psloglist and psinfo are included
    either in the rootkit, or you ran them to provide
    information...w/o some kind of explanation, it really
    isn't clear.

    This does look like HackerDefender was used...any idea
    how it got there?

    Thanks for the time,

    Harlan

    __________________________________
    Do you Yahoo!?
    Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
    http://calendar.yahoo.com

    ----------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Karl Larsson: "Re: Windows 2k rootkit incident, files zipped for your pleasure."

    Relevant Pages