Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: root_drv.sys rootkit

from [Roy Morris] Network Security [Permanent Link]
Subject: RE: root_drv.sys rootkit
Date: Mon, 8 Nov 2004 16:33:10 -0500 
You should completely remove the machine, and carefully audit all other 
machines it interacts with.




-----Original Message-----
From: Dennis Dimka [mailto:dennis.dimka@manna.com]
Sent: November 8, 2004 3:41 PM
To: 'Llistes Diverses'; focus-ms@securityfocus.com
Subject: RE: root_drv.sys rootkit


Search for a reference to it in the registry, AND search for files
containing the text "root_drv.sys".

Once you've cleaned it, you should also run a port scan 
against this machine
to find any other listening ports on that box (accomplished 
attackers will
put more than one on a box, should the admin find one).

And of course--your firewall should ONLY allow in port 80, and (if
necessary) 21, 25, etc.  Outbound connections should only be 
allowed if
established--this severely limits what an attacker's rootkit 
can do when
installed.

-----Original Message-----
From: Llistes Diverses [mailto:deixalles@gmail.com] 
Sent: Monday, November 08, 2004 1:03 PM
To: focus-ms@securityfocus.com
Subject: root_drv.sys rootkit

Hello all,

I have a Windows 2003 Web Edition Server that has been compromised due
to some big mistakes of us.
The question is that now this server have a rootkit installed. It
contains some complex configuration and i would like sooo much to be
able to keep the server without reinstall !!

The rootkit is loaded from C:\winnt\system32\root_drv.sys (i can see
it running with TaskInfo2003).
File is hidden and can't be seen within windows at user level, but i'm
able to see and remove file from a linux box with samba.
So i remove the file, i remove whole dllcache and i reboot system. But
root_drv is back there again and running !!
Any clue where is that rootkit backed up and/or how can i remove it !!
Any idea which rootkit is that and where can i find some info about?

Help me please!!
Thany you all!

BR,
Xavi.

--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------

--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------




---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: root_drv.sys rootkit, Dennis Dimka
Next by Date:  Re: root_drv.sys rootkit, Craig Paterson
Previous by Thread:  Re: root_drv.sys rootkit, Craig Paterson
Next by Thread:  Re: root_drv.sys rootkit, Ryan Parrish
Indexes:  [Date] [Thread] [Top] [All Lists]