I ran Rootkit Revealer. Only four minor issues reported. On Thu, Oct 30, 2008 at 3:39 PM, Ken Schaefer <[EMAIL PROTECTED]> wrote:
> Of course rootkits can do this. > > But why are we even jumping to the idea that there's one there, and that we > need to start distrusting everything we see? Rootkits are much rarer in > reality that people seem to think (bar HackerDefender - which can be picked > up by most tools). > > I agree that the box has probably been compromised (so wipe and rebuild). > But rootkits are another issue altogether. > > Cheers > Ken > > > -----Original Message----- > > From: Ziots, Edward [mailto:[EMAIL PROTECTED] > > Sent: Thursday, 30 October 2008 11:00 PM > > To: NT System Admin Issues > > Subject: RE: Unknown account created and added to local admins group > > > > I agree but rootkits can hide the true intention of what is going on in > > the system and subvert anything you are seeing in the gui or logs, and > > its going to be pretty hard to tell what is legit and what isn't when > > you have a kernel rootkit on your system. Abeit there might be a > > few-tell-table signs. If its been compromised, incident response > > measures should be put in place the system quarantined, wiped and > > rebuilt from trusted media. > > > > Z > > > > Edward E. Ziots > > Network Engineer > > Lifespan Organization > > MCSE,MCSA,MCP,Security+,Network+,CCA > > Phone: 401-639-3505 > > -----Original Message----- > > From: Ken Schaefer [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, October 29, 2008 7:46 PM > > To: NT System Admin Issues > > Subject: RE: Unknown account created and added to local admins group > > > > Let's not get carried away with talk of a "rootkit" here. > > > > It could be a compromise. But rootkits are there to change the behaviour > > of the Windows kernel (hence "root" kit). For all we know, this is just > > a process running as LocalSystem (e.g. any number of services) that > > performed the changes. Still looks like a compromise. > > > > Cheers > > Ken > > > > > -----Original Message----- > > > From: Phil Brutsche [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, 30 October 2008 6:17 AM > > > To: NT System Admin Issues > > > Subject: Re: Unknown account created and added to local admins group > > > > > > I bet that's what the event log would look like if a rootkit running > > as > > > SYSTEM added local administrator accounts... > > > > > > Clubber Lang wrote: > > > > Thanks, James. Yeah, the user was the same for all events: NT > > > > AUTHORITY\SYSTEM > > > > > > > > 624 - User Account Created - 9:19:13 AM > > > > 626 - User Account Enabled - 9:19:13 AM > > > > 642 - User Account Changed - 9:19:13 AM > > > > 628 - User Account Password Set - 9:19:13 AM > > > > 636 - Security Enabled Local Group Member Added - 9:19:14 AM > > > > 637 - Security Enabled Local Group Member Removed - 9:21:28 AM > > > > 633 - Security Enabled Global Group Member Removed - 9:21:28 AM > > > > 630 - User Account Deleted - 9:21:28 AM > > > > > > -- > > > > > > Phil Brutsche > > > [EMAIL PROTECTED] > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
