[Dshield] ISC pages working for me now too
TRushing at hollandco.com
Fri Oct 7 20:58:38 GMT 2005
Clinton E. Troutman wrote on 10/07/2005 03:27:44 PM:
> On Friday 07 October 2005 13:07, TRushing at hollandco.com wrote:
> > I just looked at the http://isc.sans.org page because I was going to
> > contact the handler on duty for help looking at a possible rootkit
> > infection here and the html returned was
> > <html><body></body></html>
> Working fine for me as of the time of this message...
It was working fine for me by the time my message was posted to the list.
I had waited a bit and tried going to the forums to see if there was news
of this. I thought about posting a followup saying it seemed to be back
up, but hoped that my original message was seen by a moderator who
contacted somebody to fix things and had decided not to post the message.
I've got a machine with at least one running process that does not show up
in Task Manager or Sysinternals RootKit Revealer. The EXE and files
associated with it do not show up in Windows Explorer, but they do show up
in DOS. I suspect that is why RootKit Revealer is not mentioning the
files as hidden. I only found the process because it did show up in
Sysinternals File Monitor when it attempted to write out some data. That
makes me think that there may be other things hiding here and that the
file I found is not necessarily the rooted process, just something being
hidden by it.
Something definitely seems to be intercepting API calls to hide it because
the files are not visible in Windows Explorer even when copied to a
network share, but they are visible from any other machine I've checked.
I've submitted them to a few AV sites and using the Handler's file
submission at ISC. The machine is getting wiped soon, though because I
can't devote the time this really needs to forensics on it.
More information about the list