LISTSERV - HP3000-L Archives

HP3000-L Archives

November 2008, Week 4

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L November 2008, Week 4

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	OT: my first root kit
From:	Craig Lalley <[log in to unmask]>
Reply To:	[log in to unmask]
Date:	Tue, 25 Nov 2008 16:39:23 -0800
Content-Type:	text/plain
Parts/Attachments:	text/plain (33 lines)

Well, I feel all grown up now.  Had to deal with a root kit.

The syptoms are the DNS server was replaced with 
85.255.112.189
85.255.112.113

When I looked up the IP address, the location was in the Ukraine.  Given that it was east of Jersey, I figured nothing good could come from it. :-) 

Every time I tried to change it, it came back.   I deleted the adapter, cleaned the registry several times, and it would come back.

With a little sleuthing I was able to find a tool to detect the root kit and remove it.

The files removed were..

c:\documents and settings\Sharon\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\resycled
c:\resycled\boot.com
c:\windows\system32\dccbdf3_d.dll
c:\windows\system32\kdbaw.exe
c:\windows\system32\winsusrm.dll
c:\windows\system32\winsusrx.dll

Now keep in mind, since it was a root kit, I could not see the C:\resycled directory.

Scary stuff, the hackers are getting more sophisticated thanks to Sony.

-Craig



* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2

RAVEN.UTC.EDU