[Dshield] ISC pages working for me now too

TRushing@hollandco.com TRushing at hollandco.com
Fri Oct 7 20:58:38 GMT 2005


Clinton E. Troutman wrote on 10/07/2005 03:27:44 PM:

> On Friday 07 October 2005 13:07, TRushing at hollandco.com wrote:
> > I just looked at the http://isc.sans.org page because I was going to
> > contact the handler on duty for help looking at a possible rootkit
> > infection here and the html returned was
> >
> > <html><body></body></html>
> 
> 
> Working fine for me as of the time of this message...

It was working fine for me by the time my message was posted to the list. 
I had waited a bit and tried going to the forums to see if there was news 
of this.  I thought about posting a followup saying it seemed to be back 
up, but hoped that my original message was seen by a moderator who 
contacted somebody to fix things and had decided not to post the message.

I've got a machine with at least one running process that does not show up 
in Task Manager or Sysinternals RootKit Revealer.  The EXE and files 
associated with it do not show up in Windows Explorer, but they do show up 
in DOS.  I suspect that is why RootKit Revealer is not mentioning the 
files as hidden.  I only found the process because it did show up in 
Sysinternals File Monitor when it attempted to write out some data.  That 
makes me think that there may be other things hiding here and that the 
file I found is not necessarily the rooted process, just something being 
hidden by it.

Something definitely seems to be intercepting API calls to hide it because 
the files are not visible in Windows Explorer even when copied to a 
network share, but they are visible from any other machine I've checked.

I've submitted them to a few AV sites and using the Handler's file 
submission at ISC.  The machine is getting wiped soon, though because I 
can't devote the time this really needs to forensics on it.

    ---Tim


More information about the list mailing list