Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > incidents > 03 > 040961.html (Request Expert securityfocus.com Support)

RE: Logon.dll? Possible root-kit?

From: Amarante, Rodrigo P. <RPAmarante(at)directvla.com>
Date: Thu Apr 03 2003 - 10:13:59 EST


Logon.dll is normally a protocol parser for the R_Logon (Generated RPC for interface logon) protocol. It's normally installed along with the Windows Network Monitor. It's normally located in winnt\system32\netmon\parsers and is made by microsoft. So, by being in winnt\system32 and not from MS, might indicate that a 3rd party network monitor has been installed...
Also, the reason why inetsrv doesn't show up it's because IIS actually runs as inetinfo.exe
On the bot itself, I have not seen it before. Did your client give a reason for not reinstalling everything? It seems obvious to me that if a IRC bot is running on your machine, the system has been compromised (even if by a rogue admin)...

-----Original Message-----

From: Nick Jacobsen [mailto:nick@ethicsdesign.com] Sent: Wednesday, April 02, 2003 9:10 PM
To: incidents@securityfocus.com

Hi all, hoping someone can point me in the right direction.

    I usually do penetration testing, but one of my clients had someone, they suspect a past employee, break into their network. I didn't get called
in till well after the incident, and they did not have any logs from the time of the incident. Now, I have found two extremely odd things... One, a
file called logon.dll in the winnt\system32 directory, that was NOT made by
microsoft, and two, that inetsrv (internet information services) does not
show up in the process list, though it is running. BTW, this is a windows
2000 box. I have advised this client to wipe the box and restore from a ghost image, but they are not willing to. I guess my question is for any
possible information on a root kit that could have been used againt this machine, as well as any tools you know about that may help me detect the rootkit.

    On a second note, I have discovered an IRC bot installed on this machine
as well. The file name was r_bot.dll, and it connected to irc.choopa.net,
channel #thallia, chan password "suckme"... have any of you run into this
specific bot? if so, what commands does it support?

Anyway, thanks in advance for your help.

Nick Jacobsen
Ethics Design
nick@ethicsdesign.com


Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents

Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents Received on Thu Apr 3 19:44:31 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:01 EDT

Do you need help?X
Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library