Re: w3k server
- From: "Matt Gibson" <mattg@xxxxxxxxxxxxxxx>
- Date: Sat, 3 Sep 2005 22:38:58 -0700
Rootkits load at a level that can lie to programs such as these.
This is why you do NOT clean a rootkit. You cannot ever be sure that you
have removed all traces of it.
Your only secure option is to format and rebuild.
Matt Gibson - GSEC
"Steve Schofield" <steve@xxxxxxxxx> wrote in message
news:%23mXDiXPsFHA.2604@xxxxxxxxxxxxxxxxxxxxxxx
>I would check out the rootkit tool from http://www.sysinternals.com there
>is also a tool they also have called autoruns.exe that would show all the
>EXE's that load in the registry at boot time. Between these two you can
>identify most everything.
>
> --
> Thank you,
>
> Steve Schofield
> Microsoft MVP - ASP/ASP.NET
> ASPInsider Member - MCP
>
> http://www.orcsweb.com/
> Powerful Web Hosting Solutions
> #1 in Service and Support
>
> "RKM" <RKM@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:CFB83D29-DDB9-49F2-B637-C3B791C36573@xxxxxxxxxxxxxxxx
>> Reformatting this server is not an option at the moment, only as a last
>> resort when every thing else has been exhausted. I know there is
>> something
>> there, Like I said I have the tools and such to clean it, I am just not
>> ready
>> yet. It has been isolated and no further harm can come of it, myself and
>> IT
>> security are working close with this and we just want to disect it to get
>> grasp on this.
>>
>> "Matt Gibson" wrote:
>>
>>> You don't clean rootkits.
>>>
>>> You format, and start from scratch.
>>>
>>> Matt Gibson - GSEC
>>>
>>> "RKM" <RKM@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>>> news:87075C1E-4045-406F-AB68-76D608A76839@xxxxxxxxxxxxxxxx
>>> > Hi,
>>> > I am convinced my server has been compromised. After research I am
>>> > certain
>>> > it has. However, I am still a little unsure as to how and what is
>>> > going.
>>> > It
>>> > appears that a program called Hacker Defender has been installed, thus
>>> > hiding
>>> > its registry entries and files. I have found two registry entries and
>>> > certain
>>> > tools shows that two exe files have been run, the kicker is those
>>> > files
>>> > are
>>> > no where to be found, they just do not exist on the system. There was
>>> > also
>>> > log files that were deleted. And I found an odd reg entry with the
>>> > name of
>>> > Andreas Haak, with no subfolders for the key, I assume that the
>>> > children
>>> > have
>>> > been hidden. It is apparent that the process used utilized something
>>> > that
>>> > MS
>>> > has designed called Alternate Data Streams(ADS). I have the tools and
>>> > instuctions on how to remove this rootkit, but I need a little more
>>> > insight
>>> > on this before I clean it, I have isolated the server so it is useless
>>> > to
>>> > them at the moment. One thing I have not been able to confirn is if
>>> > w3k
>>> > server supports the ADS structure. Does anyone have any sorts of info
>>> > on
>>> > this? Thanks.
>>>
>>>
>>>
>
>
.
- Follow-Ups:
- Re: w3k server
- From: RKM
- Re: w3k server
- References:
- w3k server
- From: RKM
- Re: w3k server
- From: Matt Gibson
- Re: w3k server
- From: RKM
- Re: w3k server
- From: Steve Schofield
- w3k server
- Prev by Date: Re: Somthing is sending out mail from my server
- Next by Date: Re: "The client could not connect to the remote computer"
- Previous by thread: Re: w3k server
- Next by thread: Re: w3k server
- Index(es):
Relevant Pages
|
