Re: Help, possible rootkit
From: Arias Hung (radio_at_m-a-g.net)
Date: 10/24/04
- Previous message: Harlan Carvey: "Re: Help, possible rootkit"
- In reply to: BillyBob: "Help, possible rootkit"
- Next in thread: Marcus Merrin: "Re: Help, possible rootkit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 24 Oct 2004 14:22:58 -0700 To: incidents@securityfocus.com
On Sat, 23 Oct 2004, BillyBob sketched:
> I have noticed that my XP system is behaving like I have a rootkit.
> - My mouse is jumpy (it freezes for a second when I move it around the
> desktop) and the minimized Taskmanager in the systray shows I have around
> 25 - 30 % usage, but when I open it, there is no process listed using this
> much.
This alone can hardly be conclusive that you've been rootkitted, unless you've understated the mouse surfing on its own accord of course. :o
So far sounds like a memory leak; runaway process somewhere in XP sucking overhead. Mouse erraticism could very well be related.
> - I did a netstat, fport, openports and none of these show that I have any
> odd ports open or any connections established.
> - even when I disconnect from the Internet these symptoms do not stop. They
> stop if I reboot, but then start again.
Is this on your home LAN where you have a router that you could independently monitor whether your machine is making or requesting connections out to the net without your knowledge? What you might want to consider as a medium, longer term strategy is setting up an independent IDS like snort to monitor all traffic in and out of your gateway, and ideally on a one way RX only line so you can be absolutely sure of its integrity.
>
> I have ran VICE, Klister, PatchFinder and RkDetect from rootkit.com and they
> could not find anything.
I'll once again state the obvious that if you've been owned, there's nothing you can possibly do to know 100% that you're not anymore but to do a complete reinstall. Especially, when your attempts originate from the owned machine in question.
> Any more suggestions ?
Ditto from above. Peace of mind = complete reinstall, In the future use a 3rd party IDS like snort.
Still, from what you've desribed, it might still be nothing more than a memory leak.
A
- Previous message: Harlan Carvey: "Re: Help, possible rootkit"
- In reply to: BillyBob: "Help, possible rootkit"
- Next in thread: Marcus Merrin: "Re: Help, possible rootkit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
