Re: Help, possible rootkit
From: Arias Hung (radio_at_m-a-g.net)
Date: Sun, 24 Oct 2004 14:22:58 -0700 To: firstname.lastname@example.org
On Sat, 23 Oct 2004, BillyBob sketched:
> I have noticed that my XP system is behaving like I have a rootkit.
> - My mouse is jumpy (it freezes for a second when I move it around the
> desktop) and the minimized Taskmanager in the systray shows I have around
> 25 - 30 % usage, but when I open it, there is no process listed using this
This alone can hardly be conclusive that you've been rootkitted, unless you've understated the mouse surfing on its own accord of course. :o
So far sounds like a memory leak; runaway process somewhere in XP sucking overhead. Mouse erraticism could very well be related.
> - I did a netstat, fport, openports and none of these show that I have any
> odd ports open or any connections established.
> - even when I disconnect from the Internet these symptoms do not stop. They
> stop if I reboot, but then start again.
Is this on your home LAN where you have a router that you could independently monitor whether your machine is making or requesting connections out to the net without your knowledge? What you might want to consider as a medium, longer term strategy is setting up an independent IDS like snort to monitor all traffic in and out of your gateway, and ideally on a one way RX only line so you can be absolutely sure of its integrity.
> I have ran VICE, Klister, PatchFinder and RkDetect from rootkit.com and they
> could not find anything.
I'll once again state the obvious that if you've been owned, there's nothing you can possibly do to know 100% that you're not anymore but to do a complete reinstall. Especially, when your attempts originate from the owned machine in question.
> Any more suggestions ?
Ditto from above. Peace of mind = complete reinstall, In the future use a 3rd party IDS like snort.
Still, from what you've desribed, it might still be nothing more than a memory leak.