I have seen some root kits be able to hide from tools like F-Port and such. As you have suggested using a packet capture tool usually always helps identify which port they are exploiting. However, with that said the one thing that I keep as a golden rule is once a box has been comprimised is that its going to be scratched. You just never know what else the left on the machine.

Darrell
-------------------------------------------
DLAnalyzer - Comprehensive reporting on Declude Junkmail and Virus. Download it today - http://www.invariantsystems.com

----- Original Message ----- From: "Russ Lists" <[EMAIL PROTECTED]>
To: <Declude.JunkMail@declude.com>
Sent: Thursday, September 08, 2005 9:24 AM
Subject: Re: [Declude.JunkMail] OT - iMail 7.x and Windows 2003


Orin Wells wrote:

OK, I see it. The question is how do you KILL the stuff that has gotten into the server? We shut down the IMAP yesterday primarily because we really don't have anyone we are aware of who does not use POP3. But the problem persists and seems to avoid every attempt to find it. I see a lot of code on the examples of how they are using the exploit. I am afraid it does not mean a lot to me and my brain is too tired to try to make any sense of this and figure out how to catch it. Surely someone has found a solution.

They *have* to connect to a network port. If you can't find the port that shouldn't be open using something like Foundstone's Vision (http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/vision.htm) ... watch wrap .. Then the only option you have is to setup a packet capture like ethereal (http://www.ethereal.com/) and looking at the raw data.
My guess is they have been able to plant something they are now using against us. According to the tech if he disconnects the server from the network, the problem stops. It is only when the cable is hooked up that it starts in again.

They've definitely installed a root kit. Windows root kit's are become obscenely popular. Your only option is to capture the raw data with ethereal if it's a good root kit.

I suppose if it is coming in on a specific IP address we could disconnect them all and then add them back one at a time until we find the one they are coming in on, but that sounds like a LOT of work. Is there some other way to find this? Right now we have a lot of unhappy clients.

If you block their IP, they will just come in on another IP. You must find the program and get rid of it, or rebuild...

If I can be of any more assistance, let me know.

Thanks,
Russ
---
[This E-mail scanned for viruses by Declude Virus]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Reply via email to