If it is a good kit like 'hacker defender', that will not be good enough.
It is not common, but not uncommon for a hacker to install two kits, one that may activate at a latter date.
Unless you have a file integerity database like tripwire, you need to rebuild. Even a system restore from backup is not good enough, because do you know the exact date you where hacked?
Reinstall the sysem, sorry. :-(
_-`-_-`-_-`-_-`-_-`-_-`-_-`-_-`-_-`-_
Ryan Parrish
ryanp (at) foxracing (dot) com [email concealed]
IT Dept.
408-776-8633 extension 1229
Please direct all support questions to -
(¯`·.¸¸.-> itsupport (at) foxracing (dot) com [email concealed]
_-`-_-`-_-`-_-`-_-`-_-`-_-`-_-`-_-`-_
-----Original Message-----
From: Dennis Dimka <dennis.dimka (at) manna (dot) com [email concealed]>
To: 'Llistes Diverses' <deixalles (at) gmail (dot) com [email concealed]>; focus-ms (at) securityfocus (dot) com [email concealed] <focus-ms (at) securityfocus (dot) com [email concealed]>
Sent: Mon Nov 08 12:40:55 2004
Subject: RE: root_drv.sys rootkit
Search for a reference to it in the registry, AND search for files
containing the text "root_drv.sys".
Once you've cleaned it, you should also run a port scan against this machine
to find any other listening ports on that box (accomplished attackers will
put more than one on a box, should the admin find one).
And of course--your firewall should ONLY allow in port 80, and (if
necessary) 21, 25, etc. Outbound connections should only be allowed if
established--this severely limits what an attacker's rootkit can do when
installed.
-----Original Message-----
From: Llistes Diverses [mailto:deixalles (at) gmail (dot) com [email concealed]]
Sent: Monday, November 08, 2004 1:03 PM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: root_drv.sys rootkit
Hello all,
I have a Windows 2003 Web Edition Server that has been compromised due
to some big mistakes of us.
The question is that now this server have a rootkit installed. It
contains some complex configuration and i would like sooo much to be
able to keep the server without reinstall !!
The rootkit is loaded from C:\winnt\system32\root_drv.sys (i can see
it running with TaskInfo2003).
File is hidden and can't be seen within windows at user level, but i'm
able to see and remove file from a linux box with samba.
So i remove the file, i remove whole dllcache and i reboot system. But
root_drv is back there again and running !!
Any clue where is that rootkit backed up and/or how can i remove it !!
Any idea which rootkit is that and where can i find some info about?
It is not common, but not uncommon for a hacker to install two kits, one that may activate at a latter date.
Unless you have a file integerity database like tripwire, you need to rebuild. Even a system restore from backup is not good enough, because do you know the exact date you where hacked?
Reinstall the sysem, sorry. :-(
_-`-_-`-_-`-_-`-_-`-_-`-_-`-_-`-_-`-_
Ryan Parrish
ryanp (at) foxracing (dot) com [email concealed]
IT Dept.
408-776-8633 extension 1229
Please direct all support questions to -
(¯`·.¸¸.-> itsupport (at) foxracing (dot) com [email concealed]
_-`-_-`-_-`-_-`-_-`-_-`-_-`-_-`-_-`-_
-----Original Message-----
From: Dennis Dimka <dennis.dimka (at) manna (dot) com [email concealed]>
To: 'Llistes Diverses' <deixalles (at) gmail (dot) com [email concealed]>; focus-ms (at) securityfocus (dot) com [email concealed] <focus-ms (at) securityfocus (dot) com [email concealed]>
Sent: Mon Nov 08 12:40:55 2004
Subject: RE: root_drv.sys rootkit
Search for a reference to it in the registry, AND search for files
containing the text "root_drv.sys".
Once you've cleaned it, you should also run a port scan against this machine
to find any other listening ports on that box (accomplished attackers will
put more than one on a box, should the admin find one).
And of course--your firewall should ONLY allow in port 80, and (if
necessary) 21, 25, etc. Outbound connections should only be allowed if
established--this severely limits what an attacker's rootkit can do when
installed.
-----Original Message-----
From: Llistes Diverses [mailto:deixalles (at) gmail (dot) com [email concealed]]
Sent: Monday, November 08, 2004 1:03 PM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: root_drv.sys rootkit
Hello all,
I have a Windows 2003 Web Edition Server that has been compromised due
to some big mistakes of us.
The question is that now this server have a rootkit installed. It
contains some complex configuration and i would like sooo much to be
able to keep the server without reinstall !!
The rootkit is loaded from C:\winnt\system32\root_drv.sys (i can see
it running with TaskInfo2003).
File is hidden and can't be seen within windows at user level, but i'm
able to see and remove file from a linux box with samba.
So i remove the file, i remove whole dllcache and i reboot system. But
root_drv is back there again and running !!
Any clue where is that rootkit backed up and/or how can i remove it !!
Any idea which rootkit is that and where can i find some info about?
Help me please!!
Thany you all!
BR,
Xavi.
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]