I have seen some root kits be able to hide from tools like F-Port and such.
As you have suggested using a packet capture tool usually always helps
identify which port they are exploiting. However, with that said the one
thing that I keep as a golden rule is once a box has been comprimised is
that its going to be scratched. You just never know what else the left on
the machine.
Darrell
-------------------------------------------
DLAnalyzer - Comprehensive reporting on Declude Junkmail and Virus. Download
it today - http://www.invariantsystems.com
----- Original Message -----
From: "Russ Lists" <[EMAIL PROTECTED]>
To: <Declude.JunkMail@declude.com>
Sent: Thursday, September 08, 2005 9:24 AM
Subject: Re: [Declude.JunkMail] OT - iMail 7.x and Windows 2003
Orin Wells wrote:
OK, I see it. The question is how do you KILL the stuff that has gotten
into the server? We shut down the IMAP yesterday primarily because we
really don't have anyone we are aware of who does not use POP3. But the
problem persists and seems to avoid every attempt to find it. I see a
lot of code on the examples of how they are using the exploit. I am
afraid it does not mean a lot to me and my brain is too tired to try to
make any sense of this and figure out how to catch it. Surely someone
has found a solution.
They *have* to connect to a network port. If you can't find the port that
shouldn't be open using something like Foundstone's Vision
(http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/vision.htm)
... watch wrap .. Then the only option you have is to setup a packet
capture like ethereal (http://www.ethereal.com/) and looking at the raw
data.
My guess is they have been able to plant something they are now using
against us. According to the tech if he disconnects the server from the
network, the problem stops. It is only when the cable is hooked up that
it starts in again.
They've definitely installed a root kit. Windows root kit's are become
obscenely popular. Your only option is to capture the raw data with
ethereal if it's a good root kit.
I suppose if it is coming in on a specific IP address we could disconnect
them all and then add them back one at a time until we find the one they
are coming in on, but that sounds like a LOT of work. Is there some
other way to find this? Right now we have a lot of unhappy clients.
If you block their IP, they will just come in on another IP. You must
find the program and get rid of it, or rebuild...
If I can be of any more assistance, let me know.
Thanks,
Russ
---
[This E-mail scanned for viruses by Declude Virus]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
