Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Root Kit on Domain Controller

Posted on 2008-11-15
3
Medium Priority
?
703 Views
Last Modified: 2013-12-06
I would like to know if these results can allows us to safely conclude that the server has a rootkit, and whether or not there is a way to determine how it got there, how much access the rootkit allows for, and whether or not there is a way to tell if any of the data has been compromised. Real VNC has been on the server since 2004 and no one ever updated the software, there have been hundreds of people trying to log in to it from all over and I know that there are some exploits for older versions. Also I know that the server has not been patched for well over 2 years. The guy that took care of the IT at this company was mostly here for desktop support. Also I would like to know about our legal obligations to inform customers of these findings. The first scan is from Virginity verifier, root kit revealer results are in an attached file. gmer results are also in an attached file. Super anti spyware found Worm.evilbot-B,
                                      Any help that you may provide will be greatly appreciated!!!
verifying module: [        ntoskrnl.exe]  0%... -
verifying module: [          ftdisk.sys]  9%... -
verifying module: [            disk.sys] 17%... -
verifying module: [            Ntfs.sys] 20%... \
verifying module: [            NDIS.sys] 21%... |
verifying module: [             TDI.SYS] 41%... /
verifying module: [           tcpip.sys] 62%... \
verifying module: [             afd.sys] 65%... \
verifying module: [           ntdll.dll] 92%... -
verifying module: [        kernel32.dll] 93%... \
verifying module: [        ADVAPI32.dll] 95%... \
verifying module: [           PSAPI.DLL] 97%... /
verifying module: [          WS2_32.dll] 97%... -
verifying module: [          USER32.dll] 99%... |
                                                           
ntoskrnl.exe         (80800000 - 80a75000)... suspected! (verdict = 5).
module ntoskrnl.exe [0x80800000 - 0x80a75000]:
 0x80834d38 (section .text)   5 byte(s):
  JMPing code (jmp to: 0xf71d8bab)
  address 0xf71d8bab is inside SysPlant.sys module [0xf71d3000-0xf71ef000]
  target module path: SysPlant.sys
  file   :2b e1 c1 e9 02
  memory :e9 73 3e 9a 76
  verdict = 2

 0x80834e4c (section .text)   1 byte(s):  exclusion filter: KiSystemCallExitBranch() [05->06]
  file   :05
  memory :06
  verdict = 1

 0x8083ab62 (section .text)  18 byte(s):  exclusion filter: KeFlushCurrentTb()
  file   :d8 0f 22 d8 c3 0f 20 e0 25 7f ff ff ff 0f 22 e0 0d 80
  memory :e0 25 7f ff ff ff 0f 22 e0 0d 80 00 00 00 0f 22 e0 c3
  verdict = 1

 0x8083ab7a (section .text)   1 byte(s):  exclusion filter: KeFlushCurrentTb() [c3->00]
  file   :c3
  memory :00
  verdict = 1

 0x8083b0e7 (section .text) [RtlPrefetchMemoryNonTemporal()+0]   1 byte(s):  exclusion filter: RtlPrefetchMemoryNonTemporal() [c3->90]
  file   :c3
  memory :90
  verdict = 1

 0x8083fcb0 [KiServiceTable[13]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a86d648 DOES NOT belong to ANY MODULE!
  file   :78 3f 9a 80
  memory :48 d6 86 8a
  verdict = 5

 0x8083fcb4 [KiServiceTable[14]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a8266a0 DOES NOT belong to ANY MODULE!
  file   :2d 93 91 80
  memory :a0 66 82 8a
  verdict = 5

 0x8083fcc4 [KiServiceTable[18]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a7c4468 DOES NOT belong to ANY MODULE!
  file   :2b 2d 85 80
  memory :68 44 7c 8a
  verdict = 5

 0x8083fce8 [KiServiceTable[27]]   4 byte(s):
  KiServiceTable HOOK:
  address 0xf744d818 is inside d347bus.sys module [0xf7440000-0xf7466000]
  target module path: d347bus.sys
  file   :ce ae 92 80
  memory :18 d8 44 f7
  verdict = 2

 0x8083fd28 [KiServiceTable[43]]   4 byte(s):
  KiServiceTable HOOK:
  address 0xb9e6d330 is inside SYMEVENT.SYS module [0xb9e59000-0xb9e79000]
  target module path: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
  file   :9f f6 93 80
  memory :30 d3 e6 b9
  verdict = 2

 0x8083fd30 [KiServiceTable[45]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a86d3f8 DOES NOT belong to ANY MODULE!
  file   :50 1b 94 80
  memory :f8 d3 86 8a
  verdict = 5

 0x8083fd38 [KiServiceTable[47]]   4 byte(s):
  KiServiceTable HOOK:
  address 0xf7441a20 is inside d347bus.sys module [0xf7440000-0xf7466000]
  target module path: d347bus.sys
  file   :73 c6 8c 80
  memory :20 1a 44 f7
  verdict = 2

 0x8083fd58 [KiServiceTable[55]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a7e6648 DOES NOT belong to ANY MODULE!
  file   :51 58 91 80
  memory :48 66 7e 8a
  verdict = 5

 0x8083fda8 [KiServiceTable[75]]   4 byte(s):
  KiServiceTable HOOK:
  address 0xf74422a8 is inside d347bus.sys module [0xf7440000-0xf7466000]
  target module path: d347bus.sys
  file   :5d fc 93 80
  memory :a8 22 44 f7
  verdict = 2

 0x8083fdb0 [KiServiceTable[77]]   4 byte(s):
  KiServiceTable HOOK:
  address 0xf744d910 is inside d347bus.sys module [0xf7440000-0xf7466000]
  target module path: d347bus.sys
  file   :20 00 94 80
  memory :10 d9 44 f7
  verdict = 2

 0x8083fdd8 [KiServiceTable[87]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a824af0 DOES NOT belong to ANY MODULE!
  file   :10 41 85 80
  memory :f0 4a 82 8a
  verdict = 5

 0x8083fdf0 [KiServiceTable[93]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a86d4c8 DOES NOT belong to ANY MODULE!
  file   :5d d2 90 80
  memory :c8 d4 86 8a
  verdict = 5

 0x8083fdf8 [KiServiceTable[95]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a86d588 DOES NOT belong to ANY MODULE!
  file   :5f 0f 91 80
  memory :88 d5 86 8a
  verdict = 5

 0x8083fe40 [KiServiceTable[113]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a885828 DOES NOT belong to ANY MODULE!
  file   :76 16 93 80
  memory :28 58 88 8a
  verdict = 5

 0x8083fe5c [KiServiceTable[120]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a86d338 DOES NOT belong to ANY MODULE!
  file   :46 48 93 80
  memory :38 d3 86 8a
  verdict = 5

 0x8083fe70 [KiServiceTable[125]]   4 byte(s):
  KiServiceTable HOOK:
  address 0xb9e6d8c0 is inside SYMEVENT.SYS module [0xb9e59000-0xb9e79000]
  target module path: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
  file   :b7 e0 93 80
  memory :c0 d8 e6 b9
  verdict = 2

 0x8083fe80 [KiServiceTable[129]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a83da50 DOES NOT belong to ANY MODULE!
  file   :03 4b 93 80
  memory :50 da 83 8a
  verdict = 5

 0x8083fe98 [KiServiceTable[135]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a9634d8 DOES NOT belong to ANY MODULE!
  file   :5c d8 91 80
  memory :d8 34 96 8a
  verdict = 5

 0x8083feb8 [KiServiceTable[143]]   4 byte(s):
  KiServiceTable HOOK:
  address 0xba26b280 is inside wpsdrvnt.sys module [0xba266000-0xba274000]
  target module path: \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys
  file   :8c 10 94 80
  memory :80 b2 26 ba
  verdict = 2

 0x8083fed0 [KiServiceTable[149]]   4 byte(s):
  KiServiceTable HOOK:
  address 0xf71d77b0 is inside SysPlant.sys module [0xf71d3000-0xf71ef000]
  target module path: SysPlant.sys
  file   :34 0f 94 80
  memory :b0 77 1d f7
  verdict = 2

 0x8083ff18 [KiServiceTable[167]]   4 byte(s):
  KiServiceTable HOOK:
  address 0xf74422c8 is inside d347bus.sys module [0xf7440000-0xf7466000]
  target module path: d347bus.sys
  file   :21 f3 93 80
  memory :c8 22 44 f7
  verdict = 2

 0x8083ff60 [KiServiceTable[185]]   4 byte(s):
  KiServiceTable HOOK:
  address 0xf744d866 is inside d347bus.sys module [0xf7440000-0xf7466000]
  target module path: d347bus.sys
  file   :7e cb 93 80
  memory :66 d8 44 f7
  verdict = 2

 0x8083ffd4 [KiServiceTable[214]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a821820 DOES NOT belong to ANY MODULE!
  file   :6b 5e 91 80
  memory :20 18 82 8a
  verdict = 5

 0x8083fff0 [KiServiceTable[221]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a963418 DOES NOT belong to ANY MODULE!
  file   :1a 41 8f 80
  memory :18 34 96 8a
  verdict = 5

 0x80840030 [KiServiceTable[237]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a869860 DOES NOT belong to ANY MODULE!
  file   :39 b6 91 80
  memory :60 98 86 8a
  verdict = 5

 0x80840034 [KiServiceTable[238]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a7c1460 DOES NOT belong to ANY MODULE!
  file   :6a 73 92 80
  memory :60 14 7c 8a
  verdict = 5

 0x80840064 [KiServiceTable[250]]   4 byte(s):
  KiServiceTable HOOK:
  address 0xf744d0b0 is inside d347bus.sys module [0xf7440000-0xf7466000]
  target module path: d347bus.sys
  file   :80 f3 9c 80
  memory :b0 d0 44 f7
  verdict = 2

 0x80840094 [KiServiceTable[262]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a86d278 DOES NOT belong to ANY MODULE!
  file   :bd 3e 9a 80
  memory :78 d2 86 8a
  verdict = 5

 0x80840098 [KiServiceTable[263]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a8267a8 DOES NOT belong to ANY MODULE!
  file   :8e 43 8f 80
  memory :a8 67 82 8a
  verdict = 5

 0x808400a4 [KiServiceTable[266]]   4 byte(s):
  KiServiceTable HOOK:
  address 0xb9e18f20 is inside SASKUTIL.sys module [0xb9e10000-0xb9e31000]
  target module path: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
  file   :8d 28 91 80
  memory :20 8f e1 b9
  verdict = 2

 0x808400a8 [KiServiceTable[267]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a7c13a0 DOES NOT belong to ANY MODULE!
  file   :6b 1b 92 80
  memory :a0 13 7c 8a
  verdict = 5

 0x808400d0 [KiServiceTable[277]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a86a218 DOES NOT belong to ANY MODULE!
  file   :b2 36 93 80
  memory :18 a2 86 8a
  verdict = 5

 0x808400f8 [KiServiceTable[287]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a824bc0 DOES NOT belong to ANY MODULE!
  file   :89 a9 91 80
  memory :c0 4b 82 8a
  verdict = 5

module ntoskrnl.exe: end of details
ntdll.dll            (7c800000 - 7c8c0000)... innocent hooking (verdict = 2).
module ntdll.dll [0x7c800000 - 0x7c8c0000]:
 0x7c8211fd (section .text) [NtCreateFile()+5]   5 byte(s):
  JMPing code (jmp to: 0x617752cb)
  address 0x617752cb is inside SYSFER.DLL module [0x61750000-0x617b2000]
  target module path: C:\WINDOWS\SYSTEM32\SYSFER.DLL
  file   :ba 00 03 fe 7f
  memory :e9 ce 40 f5 e4
  verdict = 2

 0x7c82123d (section .text) [NtCreateKey()+5]   5 byte(s):
  JMPing code (jmp to: 0x61775305)
  address 0x61775305 is inside SYSFER.DLL module [0x61750000-0x617b2000]
  target module path: C:\WINDOWS\SYSTEM32\SYSFER.DLL
  file   :ba 00 03 fe 7f
  memory :e9 c8 40 f5 e4
  verdict = 2

 0x7c8212fd (section .text) [NtCreateThread()+5]   5 byte(s):
  JMPing code (jmp to: 0x6177533f)
  address 0x6177533f is inside SYSFER.DLL module [0x61750000-0x617b2000]
  target module path: C:\WINDOWS\SYSTEM32\SYSFER.DLL
  file   :ba 00 03 fe 7f
  memory :e9 42 40 f5 e4
  verdict = 2

 0x7c82139d (section .text) [NtDeleteFile()+5]   5 byte(s):
  JMPing code (jmp to: 0x61775379)
  address 0x61775379 is inside SYSFER.DLL module [0x61750000-0x617b2000]
  target module path: C:\WINDOWS\SYSTEM32\SYSFER.DLL
  file   :ba 00 03 fe 7f
  memory :e9 dc 3f f5 e4
  verdict = 2

 0x7c8213cd (section .text) [NtDeleteValueKey()+5]   5 byte(s):
  JMPing code (jmp to: 0x617753b3)
  address 0x617753b3 is inside SYSFER.DLL module [0x61750000-0x617b2000]
  target module path: C:\WINDOWS\SYSTEM32\SYSFER.DLL
  file   :ba 00 03 fe 7f
  memory :e9 e6 3f f5 e4
  verdict = 2

 0x7c82169d (section .text) [NtMapViewOfSection()+5]   5 byte(s):
  JMPing code (jmp to: 0x617753ed)
  address 0x617753ed is inside SYSFER.DLL module [0x61750000-0x617b2000]
  target module path: C:\WINDOWS\SYSTEM32\SYSFER.DLL
  file   :ba 00 03 fe 7f
  memory :e9 50 3d f5 e4
  verdict = 2

 0x7c82172d (section .text) [NtOpenFile()+5]   5 byte(s):
  JMPing code (jmp to: 0x61775427)
  address 0x61775427 is inside SYSFER.DLL module [0x61750000-0x617b2000]
  target module path: C:\WINDOWS\SYSTEM32\SYSFER.DLL
  file   :ba 00 03 fe 7f
  memory :e9 fa 3c f5 e4
  verdict = 2

 0x7c82175d (section .text) [NtOpenKey()+5]   5 byte(s):
  JMPing code (jmp to: 0x61775461)
  address 0x61775461 is inside SYSFER.DLL module [0x61750000-0x617b2000]
  target module path: C:\WINDOWS\SYSTEM32\SYSFER.DLL
  file   :ba 00 03 fe 7f
  memory :e9 04 3d f5 e4
  verdict = 2

 0x7c821c0d (section .text) [NtRenameKey()+5]   5 byte(s):
  JMPing code (jmp to: 0x6177549b)
  address 0x6177549b is inside SYSFER.DLL module [0x61750000-0x617b2000]
  target module path: C:\WINDOWS\SYSTEM32\SYSFER.DLL
  file   :ba 00 03 fe 7f
  memory :e9 8e 38 f5 e4
  verdict = 2

 0x7c821e1d (section .text) [NtSetInformationFile()+5]   5 byte(s):
  JMPing code (jmp to: 0x617754d5)
  address 0x617754d5 is inside SYSFER.DLL module [0x61750000-0x617b2000]
  target module path: C:\WINDOWS\SYSTEM32\SYSFER.DLL
  file   :ba 00 03 fe 7f
  memory :e9 b8 36 f5 e4
  verdict = 2

 0x7c821f8d (section .text) [NtSetValueKey()+5]   5 byte(s):
  JMPing code (jmp to: 0x6177550f)
  address 0x6177550f is inside SYSFER.DLL module [0x61750000-0x617b2000]
  target module path: C:\WINDOWS\SYSTEM32\SYSFER.DLL
  file   :ba 00 03 fe 7f
  memory :e9 82 35 f5 e4
  verdict = 2

 0x7c82202d (section .text) [NtTerminateProcess()+5]   5 byte(s):
  JMPing code (jmp to: 0x61775549)
  address 0x61775549 is inside SYSFER.DLL module [0x61750000-0x617b2000]
  target module path: C:\WINDOWS\SYSTEM32\SYSFER.DLL
  file   :ba 00 03 fe 7f
  memory :e9 1c 35 f5 e4
  verdict = 2

module ntdll.dll: end of details

SYSTEM INFECTION LEVEL: 5
    0 - BLUE
    1 - GREEN
    2 - YELLOW
    3 - ORANGE
    4 - RED
--> 5 - DEEPRED
SUSPECTED modifications detected. System is probably infected!




0
Comment
Question by:Michaelgoff79
  • 2
3 Comments
 
LVL 12

Expert Comment

by:jahboite
ID: 22970295
You didn't attach the gmer and rootkit revealer result!

So far, it's not conclusive and although the areas of memory without reference to loaded modules might be cause for concern, it might be your symantec software protecting itself.

The evilbot may be a false positive arising from SAS's detection of a symantec file named winexec.exe.  You could upload this file to Virus Total at http://www.virustotal.com/ to be analysed  - it may well come back as http://www.virustotal.com/analisis/705cbc083b5dffe68f9eb8c565b1f296.

Do post the other rootkit reports.
0
 
LVL 1

Author Comment

by:Michaelgoff79
ID: 22971631
Sorry it looks like I have posted the same question twice. If you search the knowledge base for rootkit on domain controller you will find the logs attached on that posted question. I am also concerned that the results are inconclusive. However I definately want to get to the bottom of this and would certainly appreciate your input. I will post the logs for hijack this, icesword failed to initalize, rootkit revealer error dumping hives and couldn't mount the volume. I can say that real vnc has been wide open since 2004, and that the server nor the workstations have been patched for a couple of years. They have a wireless router with wep enabled in a college town that primarily focuses on technology comp sci etc. In saying that I find it very hard to believe that their network has not been compromised in some form.
0
 
LVL 12

Accepted Solution

by:
jahboite earned 1500 total points
ID: 22975173
Well, apart from RKR's inability to read your filesystem I still see nothing which absolutely confirms you have a rootkit.

It would be interesting to know whether symantec is up-to-date and whether it has found any malware recently.
It would also be interesting to see any traffic to or from the DC which you cannot account for.  Is there a firewall in place and are there logs?
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Curious about the latest ransomware attack? Check out our timeline of events surrounding the spread of this new virus along with tips on how to mitigate the damage.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question