Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Rootkit Findings SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Rootkit Findings
A reader who wishes to remain anonymous sent us a nice write-up of findings uncovered while investigating an intrusion.  Below is the entire note, minus identifying details. 

I got caught out by the recent MailEnable buffer overflow vulnerability by a few hours. I'd been running the patch in pre-live for a few days for testing but was too slow in getting the live server patched unfortunately.

The rootkit seemed to be running 2 ServU deamons one on port 43958 and the other on port 1050 using an SSL connection. There were a host of other ports opened by the rootkit and I couldn't figure out what they were for... The server I had to fix is 200 miles away so it was all done via a remote desktop connection.

I used a heap load of sysinternal tools to figure out what was going on and compared services etc to the build manifest that I created for that server before it was put into production. Using the manifest I was able to ascertain exactly what services had been installed and how to remove them.

The problems came with the rootkit hiding the netsv! and certmngr services along with the associated files in the directory C:\Windows\Congig\system.

I used netstat -a -b a lot to verify information regarding the applications running and used that along with the info from RootKitRevealer to use the sc command from the Windows resource kit to first stop then remove the services.

One thing to note is that the thing renamed the display name of the netlogon service to "System Spooler". If I hadn't been paying attention I might have tried to delete that service too... It would have been a catastrophic mistake to make...

One file that I deleted accidentally was the logon.exe file that resided in the system32 directory. That file was run by the pipext service with the display name of "Windows Media Client (WMC)".


301 Posts
ISC Handler
Apr 14th 2006

Sign Up for Free or Log In to start participating in the conversation!