| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <00c001c4b976$38dc7cf0$166310ac@pc1221> From: mnv at alumni.princeton.edu (MN Vasquez) Subject: Help, possible rootkit Any odd traffic coming to or from this machine? What's a sniffer telling you. I might've missed it, but is this a home user machine or in a business place? Do you have issues running in safe mode? If you don't, then it would sound like the rootkit's not running, which means you can probably look at some of the normal places for a file/processes loading/starting. I don't know about the rest of the list, but I haven't seen or heard of too many process hiding xp rootkits that are undetectable by some of the basic methods mentioned. See www.rootkit.com. At least, not floating around on a single PC that sounds like an unlikely "high value" target. It seems much more likely that XP or an application is just crapping out on you, and if you can't figure it out, reinstall. If nothing is revealed after trying some of the methods already suggested here and by others, I think the likelihood -- given the info you've told us so far -- makes it's unlikely that it's a rootkit. My 2 cents. > ----- Original Message ----- > From: "BillyBob" <billybobknob@...mail.com> > To: "Alan Melia (Melmac)" <alanme@...mac.co.uk>; "'Full Disclosure'" > <full-disclosure@...ts.netsys.com> > Sent: Saturday, October 23, 2004 1:30 PM > Subject: Re: [Full-Disclosure] Help, possible rootkit > > >>I have ran Process Explorer, Code Stuff Starter but nothing shows up in >>the >> list as using this 25-30% of my CYP. I also updated and ran PestPatrol, >> NortonAV, etc but nothing is detected which is why I think I have a >> rootkit >> that has patched the kernel and therefore not allowing any of these >> programs >> to detect it. >> >> Anything else ? >> >> >> ----- Original Message ----- >> From: "Alan Melia (Melmac)" <alanme@...mac.co.uk> >> To: "'BillyBob'" <billybobknob@...mail.com>; "'Full Disclosure'" >> <full-disclosure@...ts.netsys.com> >> Sent: Saturday, October 23, 2004 4:47 PM >> Subject: RE: [Full-Disclosure] Help, possible rootkit >> >> >>> First check to see what processes are running. TaskList is built in but >>> I >>> would recommend. >>> http://www.sysinternals.com/ntw2k/freeware/procexp.shtml >>> >>> Get to know your machine and what processes are running normally. With >>> 25-30% CPU it should stick out like a sore thumb. >>> >>> Oh yeah don't run as admin (see )http://blogs.msdn.com/aaron_margosis. >>> >>> Alan >>> >>> >>> -----Original Message----- >>> From: full-disclosure-admin@...ts.netsys.com >>> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of BillyBob >>> Sent: 23 October 2004 17:05 >>> To: Full Disclosure >>> Subject: [Full-Disclosure] Help, possible rootkit >>> >>> I have noticed that my XP system is behaving like I have a rootkit. >>> >>> - My mouse is jumpy (it freezes for a second when I move it around the >>> desktop) and the minimized Taskmanager in the systray shows I have >>> around >>> 25 - 30 % usage, but when I open it, there is no process listed using >>> this >>> much. >>> - I did a netstat, fport, openports and none of these show that I have >>> any >>> odd ports open or any connections established. >>> - even when I disconnect from the Internet these symptoms do not stop. >> They >>> stop if I reboot, but then start again. >>> >>> I have ran VICE, Klister, PatchFinder and RkDetect from rootkit.com and >> they >>> could not find anything. >>> >>> Any more suggestions ? >>> Any more rootkit finding tools for Windows ? >>> >>> Thanks >>> Bill
Powered by blists - more mailing lists