Hosting Provided By

Re: Logon.dll? Possible root-kit?

From: Nick Jacobsen <nick(at)ethicsdesign.com>
Date: Thu Apr 03 2003 - 15:43:05 EST

Ok here is link to a rar of the suspected files:

http://www.ethicsdesign.com/HackLog.rar

As some of you said, it looks like there is not a rootkit installed, and it looks like this was an attempt at making this box join a botnet. A kindly IRCOp has offered to both decompile the bot dll, and to remove the offending channel (#thallia), so that is taken care of. Anyway, I did manage to convince my clients that this was serious enough to warant a wipe of the data on the machine. I am waiting to see what your analysis of these files are.

Thank You,
Nick Jacobsen
nick@ethicsdesign.com

Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents Received on Thu Apr 3 19:53:01 2003

This message: [ Message body ]
Next message: aladin168: "Re: Increase in Source to Port 445"
Previous message: Joshua Wright: "RE: UDP traffic to net and broadcast addresses"
Maybe in reply to: Nick Jacobsen: "Logon.dll? Possible root-kit?"
Next in thread: Harlan Carvey: "Re: Logon.dll? Possible root-kit?"
Reply: Harlan Carvey: "Re: Logon.dll? Possible root-kit?"
Reply: Rob Shein: "RE: Logon.dll? Possible root-kit?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:01 EDT