Re: w3k server
- From: RKM <RKM@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 4 Sep 2005 00:12:02 -0700
Thanks Steve, your suggestion is what found the hidden exe files that were
run, and do not "exist" on the system. But they are there, we found them.
"Steve Schofield" wrote:
> I would check out the rootkit tool from http://www.sysinternals.com there
> is also a tool they also have called autoruns.exe that would show all the
> EXE's that load in the registry at boot time. Between these two you can
> identify most everything.
>
> --
> Thank you,
>
> Steve Schofield
> Microsoft MVP - ASP/ASP.NET
> ASPInsider Member - MCP
>
> http://www.orcsweb.com/
> Powerful Web Hosting Solutions
> #1 in Service and Support
>
> "RKM" <RKM@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:CFB83D29-DDB9-49F2-B637-C3B791C36573@xxxxxxxxxxxxxxxx
> > Reformatting this server is not an option at the moment, only as a last
> > resort when every thing else has been exhausted. I know there is something
> > there, Like I said I have the tools and such to clean it, I am just not
> > ready
> > yet. It has been isolated and no further harm can come of it, myself and
> > IT
> > security are working close with this and we just want to disect it to get
> > grasp on this.
> >
> > "Matt Gibson" wrote:
> >
> >> You don't clean rootkits.
> >>
> >> You format, and start from scratch.
> >>
> >> Matt Gibson - GSEC
> >>
> >> "RKM" <RKM@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> news:87075C1E-4045-406F-AB68-76D608A76839@xxxxxxxxxxxxxxxx
> >> > Hi,
> >> > I am convinced my server has been compromised. After research I am
> >> > certain
> >> > it has. However, I am still a little unsure as to how and what is
> >> > going.
> >> > It
> >> > appears that a program called Hacker Defender has been installed, thus
> >> > hiding
> >> > its registry entries and files. I have found two registry entries and
> >> > certain
> >> > tools shows that two exe files have been run, the kicker is those files
> >> > are
> >> > no where to be found, they just do not exist on the system. There was
> >> > also
> >> > log files that were deleted. And I found an odd reg entry with the name
> >> > of
> >> > Andreas Haak, with no subfolders for the key, I assume that the
> >> > children
> >> > have
> >> > been hidden. It is apparent that the process used utilized something
> >> > that
> >> > MS
> >> > has designed called Alternate Data Streams(ADS). I have the tools and
> >> > instuctions on how to remove this rootkit, but I need a little more
> >> > insight
> >> > on this before I clean it, I have isolated the server so it is useless
> >> > to
> >> > them at the moment. One thing I have not been able to confirn is if w3k
> >> > server supports the ADS structure. Does anyone have any sorts of info
> >> > on
> >> > this? Thanks.
> >>
> >>
> >>
>
>
>
.
- Follow-Ups:
- Re: w3k server
- From: Steve Schofield
- Re: w3k server
- From: Steve Schofield
- Re: w3k server
- From: Steve Schofield
- Re: w3k server
- References:
- w3k server
- From: RKM
- Re: w3k server
- From: Matt Gibson
- Re: w3k server
- From: RKM
- Re: w3k server
- From: Steve Schofield
- w3k server
- Prev by Date: Re: w3k server
- Next by Date: RE: removing everyone group from root of hard drives
- Previous by thread: Re: w3k server
- Next by thread: Re: w3k server
- Index(es):
