Re: Help, possible rootkit

From: Arias Hung (radio_at_m-a-g.net)
Date: 10/24/04

  • Next message: Marcus Merrin: "Re: Help, possible rootkit"
    Date: Sun, 24 Oct 2004 14:22:58 -0700
    To: incidents@securityfocus.com
    
    

    On Sat, 23 Oct 2004, BillyBob sketched:

    > I have noticed that my XP system is behaving like I have a rootkit.

    > - My mouse is jumpy (it freezes for a second when I move it around the
    > desktop) and the minimized Taskmanager in the systray shows I have around
    > 25 - 30 % usage, but when I open it, there is no process listed using this
    > much.

    This alone can hardly be conclusive that you've been rootkitted, unless you've understated the mouse surfing on its own accord of course. :o

    So far sounds like a memory leak; runaway process somewhere in XP sucking overhead. Mouse erraticism could very well be related.

    > - I did a netstat, fport, openports and none of these show that I have any
    > odd ports open or any connections established.
    > - even when I disconnect from the Internet these symptoms do not stop. They
    > stop if I reboot, but then start again.

    Is this on your home LAN where you have a router that you could independently monitor whether your machine is making or requesting connections out to the net without your knowledge? What you might want to consider as a medium, longer term strategy is setting up an independent IDS like snort to monitor all traffic in and out of your gateway, and ideally on a one way RX only line so you can be absolutely sure of its integrity.

    >
    > I have ran VICE, Klister, PatchFinder and RkDetect from rootkit.com and they
    > could not find anything.

    I'll once again state the obvious that if you've been owned, there's nothing you can possibly do to know 100% that you're not anymore but to do a complete reinstall. Especially, when your attempts originate from the owned machine in question.

    > Any more suggestions ?

    Ditto from above. Peace of mind = complete reinstall, In the future use a 3rd party IDS like snort.

    Still, from what you've desribed, it might still be nothing more than a memory leak.

    A


  • Next message: Marcus Merrin: "Re: Help, possible rootkit"

    Relevant Pages

    • RE: Cant add audio files to MP10
      ... I have the exact same problem so you are not alone. ... (Short of reinstall the OS) ... "JosepValles" wrote: ...
      (microsoft.public.windowsmedia.player)
    • Re: I386
      ... hard drive so you can reinstall the operating system. ... If it is Driver Cache/i386 you are referring to, again - leave it alone! ...
      (microsoft.public.windowsxp.general)
    • Re: Going back to stable
      ... Those two alone would be enough to scare ... Your best bet is to reinstall. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx with a subject of "unsubscribe". ...
      (Debian-User)
    • Lost systray - HELP
      ... reinstalled from the DVD, keeping my existing /home and formating the root ... On startup the systray had disappeared. ... I repeated the reinstall in case ...
      (alt.os.linux.suse)
    • Re: Memory Could Not Be Read
      ... running WIN XP Pro - have same set up on 2 other pc's ... (all stand alone pc's) ... uninstall and reinstall as a last effort. ...
      (microsoft.public.windowsxp.general)