Michaelgoff79
asked on
Root Kit on Domain Controller
I would like to know if these results can allows us to safely conclude that the server has a rootkit, and whether or not there is a way to determine how it got there, how much access the rootkit allows for, and whether or not there is a way to tell if any of the data has been compromised. Real VNC has been on the server since 2004 and no one ever updated the software, there have been hundreds of people trying to log in to it from all over and I know that there are some exploits for older versions. Also I know that the server has not been patched for well over 2 years. The guy that took care of the IT at this company was mostly here for desktop support. Also I would like to know about our legal obligations to inform customers of these findings. The first scan is from Virginity verifier, root kit revealer results are in an attached file. gmer results are also in an attached file. Super anti spyware found Worm.evilbot-B,
                   Any help that you may provide will be greatly appreciated!!!
verifying module: [ Â Â Â Â ntoskrnl.exe] Â 0%... -
verifying module: [ Â Â Â Â Â ftdisk.sys] Â 9%... -
verifying module: [ Â Â Â Â Â Â disk.sys] 17%... -
verifying module: [ Â Â Â Â Â Â Ntfs.sys] 20%... \
verifying module: [ Â Â Â Â Â Â NDIS.sys] 21%... |
verifying module: [ Â Â Â Â Â Â TDI.SYS] 41%... /
verifying module: [ Â Â Â Â Â tcpip.sys] 62%... \
verifying module: [ Â Â Â Â Â Â afd.sys] 65%... \
verifying module: [ Â Â Â Â Â ntdll.dll] 92%... -
verifying module: [ Â Â Â Â kernel32.dll] 93%... \
verifying module: [ Â Â Â Â ADVAPI32.dll] 95%... \
verifying module: [ Â Â Â Â Â PSAPI.DLL] 97%... /
verifying module: [ Â Â Â Â Â WS2_32.dll] 97%... -
verifying module: [ Â Â Â Â Â USER32.dll] 99%... |
                             Â
ntoskrnl.exe     (80800000 - 80a75000)... suspected! (verdict = 5).
module ntoskrnl.exe [0x80800000 - 0x80a75000]:
 0x80834d38 (section .text)  5 byte(s):
 JMPing code (jmp to: 0xf71d8bab)
 address 0xf71d8bab is inside SysPlant.sys module [0xf71d3000-0xf71ef000]
 target module path: SysPlant.sys
 file  :2b e1 c1 e9 02
 memory :e9 73 3e 9a 76
 verdict = 2
 0x80834e4c (section .text)  1 byte(s):  exclusion filter: KiSystemCallExitBranch() [05->06]
 file  :05
 memory :06
 verdict = 1
 0x8083ab62 (section .text)  18 byte(s):  exclusion filter: KeFlushCurrentTb()
 file  :d8 0f 22 d8 c3 0f 20 e0 25 7f ff ff ff 0f 22 e0 0d 80
 memory :e0 25 7f ff ff ff 0f 22 e0 0d 80 00 00 00 0f 22 e0 c3
 verdict = 1
 0x8083ab7a (section .text)  1 byte(s):  exclusion filter: KeFlushCurrentTb() [c3->00]
 file  :c3
 memory :00
 verdict = 1
 0x8083b0e7 (section .text) [RtlPrefetchMemoryNonTempo
 file  :c3
 memory :90
 verdict = 1
 0x8083fcb0 [KiServiceTable[13]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a86d648 DOES NOT belong to ANY MODULE!
 file  :78 3f 9a 80
 memory :48 d6 86 8a
 verdict = 5
 0x8083fcb4 [KiServiceTable[14]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a8266a0 DOES NOT belong to ANY MODULE!
 file  :2d 93 91 80
 memory :a0 66 82 8a
 verdict = 5
 0x8083fcc4 [KiServiceTable[18]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a7c4468 DOES NOT belong to ANY MODULE!
 file  :2b 2d 85 80
 memory :68 44 7c 8a
 verdict = 5
 0x8083fce8 [KiServiceTable[27]]  4 byte(s):
 KiServiceTable HOOK:
 address 0xf744d818 is inside d347bus.sys module [0xf7440000-0xf7466000]
 target module path: d347bus.sys
 file  :ce ae 92 80
 memory :18 d8 44 f7
 verdict = 2
 0x8083fd28 [KiServiceTable[43]]  4 byte(s):
 KiServiceTable HOOK:
 address 0xb9e6d330 is inside SYMEVENT.SYS module [0xb9e59000-0xb9e79000]
 target module path: \??\C:\WINDOWS\system32\Dr
 file  :9f f6 93 80
 memory :30 d3 e6 b9
 verdict = 2
 0x8083fd30 [KiServiceTable[45]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a86d3f8 DOES NOT belong to ANY MODULE!
 file  :50 1b 94 80
 memory :f8 d3 86 8a
 verdict = 5
 0x8083fd38 [KiServiceTable[47]]  4 byte(s):
 KiServiceTable HOOK:
 address 0xf7441a20 is inside d347bus.sys module [0xf7440000-0xf7466000]
 target module path: d347bus.sys
 file  :73 c6 8c 80
 memory :20 1a 44 f7
 verdict = 2
 0x8083fd58 [KiServiceTable[55]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a7e6648 DOES NOT belong to ANY MODULE!
 file  :51 58 91 80
 memory :48 66 7e 8a
 verdict = 5
 0x8083fda8 [KiServiceTable[75]]  4 byte(s):
 KiServiceTable HOOK:
 address 0xf74422a8 is inside d347bus.sys module [0xf7440000-0xf7466000]
 target module path: d347bus.sys
 file  :5d fc 93 80
 memory :a8 22 44 f7
 verdict = 2
 0x8083fdb0 [KiServiceTable[77]]  4 byte(s):
 KiServiceTable HOOK:
 address 0xf744d910 is inside d347bus.sys module [0xf7440000-0xf7466000]
 target module path: d347bus.sys
 file  :20 00 94 80
 memory :10 d9 44 f7
 verdict = 2
 0x8083fdd8 [KiServiceTable[87]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a824af0 DOES NOT belong to ANY MODULE!
 file  :10 41 85 80
 memory :f0 4a 82 8a
 verdict = 5
 0x8083fdf0 [KiServiceTable[93]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a86d4c8 DOES NOT belong to ANY MODULE!
 file  :5d d2 90 80
 memory :c8 d4 86 8a
 verdict = 5
 0x8083fdf8 [KiServiceTable[95]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a86d588 DOES NOT belong to ANY MODULE!
 file  :5f 0f 91 80
 memory :88 d5 86 8a
 verdict = 5
 0x8083fe40 [KiServiceTable[113]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a885828 DOES NOT belong to ANY MODULE!
 file  :76 16 93 80
 memory :28 58 88 8a
 verdict = 5
 0x8083fe5c [KiServiceTable[120]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a86d338 DOES NOT belong to ANY MODULE!
 file  :46 48 93 80
 memory :38 d3 86 8a
 verdict = 5
 0x8083fe70 [KiServiceTable[125]]  4 byte(s):
 KiServiceTable HOOK:
 address 0xb9e6d8c0 is inside SYMEVENT.SYS module [0xb9e59000-0xb9e79000]
 target module path: \??\C:\WINDOWS\system32\Dr
 file  :b7 e0 93 80
 memory :c0 d8 e6 b9
 verdict = 2
 0x8083fe80 [KiServiceTable[129]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a83da50 DOES NOT belong to ANY MODULE!
 file  :03 4b 93 80
 memory :50 da 83 8a
 verdict = 5
 0x8083fe98 [KiServiceTable[135]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a9634d8 DOES NOT belong to ANY MODULE!
 file  :5c d8 91 80
 memory :d8 34 96 8a
 verdict = 5
 0x8083feb8 [KiServiceTable[143]]  4 byte(s):
 KiServiceTable HOOK:
 address 0xba26b280 is inside wpsdrvnt.sys module [0xba266000-0xba274000]
 target module path: \??\C:\WINDOWS\system32\dr
 file  :8c 10 94 80
 memory :80 b2 26 ba
 verdict = 2
 0x8083fed0 [KiServiceTable[149]]  4 byte(s):
 KiServiceTable HOOK:
 address 0xf71d77b0 is inside SysPlant.sys module [0xf71d3000-0xf71ef000]
 target module path: SysPlant.sys
 file  :34 0f 94 80
 memory :b0 77 1d f7
 verdict = 2
 0x8083ff18 [KiServiceTable[167]]  4 byte(s):
 KiServiceTable HOOK:
 address 0xf74422c8 is inside d347bus.sys module [0xf7440000-0xf7466000]
 target module path: d347bus.sys
 file  :21 f3 93 80
 memory :c8 22 44 f7
 verdict = 2
 0x8083ff60 [KiServiceTable[185]]  4 byte(s):
 KiServiceTable HOOK:
 address 0xf744d866 is inside d347bus.sys module [0xf7440000-0xf7466000]
 target module path: d347bus.sys
 file  :7e cb 93 80
 memory :66 d8 44 f7
 verdict = 2
 0x8083ffd4 [KiServiceTable[214]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a821820 DOES NOT belong to ANY MODULE!
 file  :6b 5e 91 80
 memory :20 18 82 8a
 verdict = 5
 0x8083fff0 [KiServiceTable[221]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a963418 DOES NOT belong to ANY MODULE!
 file  :1a 41 8f 80
 memory :18 34 96 8a
 verdict = 5
 0x80840030 [KiServiceTable[237]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a869860 DOES NOT belong to ANY MODULE!
 file  :39 b6 91 80
 memory :60 98 86 8a
 verdict = 5
 0x80840034 [KiServiceTable[238]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a7c1460 DOES NOT belong to ANY MODULE!
 file  :6a 73 92 80
 memory :60 14 7c 8a
 verdict = 5
 0x80840064 [KiServiceTable[250]]  4 byte(s):
 KiServiceTable HOOK:
 address 0xf744d0b0 is inside d347bus.sys module [0xf7440000-0xf7466000]
 target module path: d347bus.sys
 file  :80 f3 9c 80
 memory :b0 d0 44 f7
 verdict = 2
 0x80840094 [KiServiceTable[262]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a86d278 DOES NOT belong to ANY MODULE!
 file  :bd 3e 9a 80
 memory :78 d2 86 8a
 verdict = 5
 0x80840098 [KiServiceTable[263]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a8267a8 DOES NOT belong to ANY MODULE!
 file  :8e 43 8f 80
 memory :a8 67 82 8a
 verdict = 5
 0x808400a4 [KiServiceTable[266]]  4 byte(s):
 KiServiceTable HOOK:
 address 0xb9e18f20 is inside SASKUTIL.sys module [0xb9e10000-0xb9e31000]
 target module path: \??\C:\Program Files\SUPERAntiSpyware\SAS
 file  :8d 28 91 80
 memory :20 8f e1 b9
 verdict = 2
 0x808400a8 [KiServiceTable[267]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a7c13a0 DOES NOT belong to ANY MODULE!
 file  :6b 1b 92 80
 memory :a0 13 7c 8a
 verdict = 5
 0x808400d0 [KiServiceTable[277]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a86a218 DOES NOT belong to ANY MODULE!
 file  :b2 36 93 80
 memory :18 a2 86 8a
 verdict = 5
 0x808400f8 [KiServiceTable[287]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a824bc0 DOES NOT belong to ANY MODULE!
 file  :89 a9 91 80
 memory :c0 4b 82 8a
 verdict = 5
module ntoskrnl.exe: end of details
ntdll.dll       (7c800000 - 7c8c0000)... innocent hooking (verdict = 2).
module ntdll.dll [0x7c800000 - 0x7c8c0000]:
 0x7c8211fd (section .text) [NtCreateFile()+5]  5 byte(s):
 JMPing code (jmp to: 0x617752cb)
 address 0x617752cb is inside SYSFER.DLL module [0x61750000-0x617b2000]
 target module path: C:\WINDOWS\SYSTEM32\SYSFER
 file  :ba 00 03 fe 7f
 memory :e9 ce 40 f5 e4
 verdict = 2
 0x7c82123d (section .text) [NtCreateKey()+5]  5 byte(s):
 JMPing code (jmp to: 0x61775305)
 address 0x61775305 is inside SYSFER.DLL module [0x61750000-0x617b2000]
 target module path: C:\WINDOWS\SYSTEM32\SYSFER
 file  :ba 00 03 fe 7f
 memory :e9 c8 40 f5 e4
 verdict = 2
 0x7c8212fd (section .text) [NtCreateThread()+5]  5 byte(s):
 JMPing code (jmp to: 0x6177533f)
 address 0x6177533f is inside SYSFER.DLL module [0x61750000-0x617b2000]
 target module path: C:\WINDOWS\SYSTEM32\SYSFER
 file  :ba 00 03 fe 7f
 memory :e9 42 40 f5 e4
 verdict = 2
 0x7c82139d (section .text) [NtDeleteFile()+5]  5 byte(s):
 JMPing code (jmp to: 0x61775379)
 address 0x61775379 is inside SYSFER.DLL module [0x61750000-0x617b2000]
 target module path: C:\WINDOWS\SYSTEM32\SYSFER
 file  :ba 00 03 fe 7f
 memory :e9 dc 3f f5 e4
 verdict = 2
 0x7c8213cd (section .text) [NtDeleteValueKey()+5]  5 byte(s):
 JMPing code (jmp to: 0x617753b3)
 address 0x617753b3 is inside SYSFER.DLL module [0x61750000-0x617b2000]
 target module path: C:\WINDOWS\SYSTEM32\SYSFER
 file  :ba 00 03 fe 7f
 memory :e9 e6 3f f5 e4
 verdict = 2
 0x7c82169d (section .text) [NtMapViewOfSection()+5]  5 byte(s):
 JMPing code (jmp to: 0x617753ed)
 address 0x617753ed is inside SYSFER.DLL module [0x61750000-0x617b2000]
 target module path: C:\WINDOWS\SYSTEM32\SYSFER
 file  :ba 00 03 fe 7f
 memory :e9 50 3d f5 e4
 verdict = 2
 0x7c82172d (section .text) [NtOpenFile()+5]  5 byte(s):
 JMPing code (jmp to: 0x61775427)
 address 0x61775427 is inside SYSFER.DLL module [0x61750000-0x617b2000]
 target module path: C:\WINDOWS\SYSTEM32\SYSFER
 file  :ba 00 03 fe 7f
 memory :e9 fa 3c f5 e4
 verdict = 2
 0x7c82175d (section .text) [NtOpenKey()+5]  5 byte(s):
 JMPing code (jmp to: 0x61775461)
 address 0x61775461 is inside SYSFER.DLL module [0x61750000-0x617b2000]
 target module path: C:\WINDOWS\SYSTEM32\SYSFER
 file  :ba 00 03 fe 7f
 memory :e9 04 3d f5 e4
 verdict = 2
 0x7c821c0d (section .text) [NtRenameKey()+5]  5 byte(s):
 JMPing code (jmp to: 0x6177549b)
 address 0x6177549b is inside SYSFER.DLL module [0x61750000-0x617b2000]
 target module path: C:\WINDOWS\SYSTEM32\SYSFER
 file  :ba 00 03 fe 7f
 memory :e9 8e 38 f5 e4
 verdict = 2
 0x7c821e1d (section .text) [NtSetInformationFile()+5]
 JMPing code (jmp to: 0x617754d5)
 address 0x617754d5 is inside SYSFER.DLL module [0x61750000-0x617b2000]
 target module path: C:\WINDOWS\SYSTEM32\SYSFER
 file  :ba 00 03 fe 7f
 memory :e9 b8 36 f5 e4
 verdict = 2
 0x7c821f8d (section .text) [NtSetValueKey()+5]  5 byte(s):
 JMPing code (jmp to: 0x6177550f)
 address 0x6177550f is inside SYSFER.DLL module [0x61750000-0x617b2000]
 target module path: C:\WINDOWS\SYSTEM32\SYSFER
 file  :ba 00 03 fe 7f
 memory :e9 82 35 f5 e4
 verdict = 2
 0x7c82202d (section .text) [NtTerminateProcess()+5]  5 byte(s):
 JMPing code (jmp to: 0x61775549)
 address 0x61775549 is inside SYSFER.DLL module [0x61750000-0x617b2000]
 target module path: C:\WINDOWS\SYSTEM32\SYSFER
 file  :ba 00 03 fe 7f
 memory :e9 1c 35 f5 e4
 verdict = 2
module ntdll.dll: end of details
SYSTEM INFECTION LEVEL: 5
  0 - BLUE
  1 - GREEN
  2 - YELLOW
  3 - ORANGE
  4 - RED
--> 5 - DEEPRED
SUSPECTED modifications detected. System is probably infected!
rootkit-revealer.bmp
gmer.log
                   Any help that you may provide will be greatly appreciated!!!
verifying module: [ Â Â Â Â ntoskrnl.exe] Â 0%... -
verifying module: [ Â Â Â Â Â ftdisk.sys] Â 9%... -
verifying module: [ Â Â Â Â Â Â disk.sys] 17%... -
verifying module: [ Â Â Â Â Â Â Ntfs.sys] 20%... \
verifying module: [ Â Â Â Â Â Â NDIS.sys] 21%... |
verifying module: [ Â Â Â Â Â Â TDI.SYS] 41%... /
verifying module: [ Â Â Â Â Â tcpip.sys] 62%... \
verifying module: [ Â Â Â Â Â Â afd.sys] 65%... \
verifying module: [ Â Â Â Â Â ntdll.dll] 92%... -
verifying module: [ Â Â Â Â kernel32.dll] 93%... \
verifying module: [ Â Â Â Â ADVAPI32.dll] 95%... \
verifying module: [ Â Â Â Â Â PSAPI.DLL] 97%... /
verifying module: [ Â Â Â Â Â WS2_32.dll] 97%... -
verifying module: [ Â Â Â Â Â USER32.dll] 99%... |
                             Â
ntoskrnl.exe     (80800000 - 80a75000)... suspected! (verdict = 5).
module ntoskrnl.exe [0x80800000 - 0x80a75000]:
 0x80834d38 (section .text)  5 byte(s):
 JMPing code (jmp to: 0xf71d8bab)
 address 0xf71d8bab is inside SysPlant.sys module [0xf71d3000-0xf71ef000]
 target module path: SysPlant.sys
 file  :2b e1 c1 e9 02
 memory :e9 73 3e 9a 76
 verdict = 2
 0x80834e4c (section .text)  1 byte(s):  exclusion filter: KiSystemCallExitBranch() [05->06]
 file  :05
 memory :06
 verdict = 1
 0x8083ab62 (section .text)  18 byte(s):  exclusion filter: KeFlushCurrentTb()
 file  :d8 0f 22 d8 c3 0f 20 e0 25 7f ff ff ff 0f 22 e0 0d 80
 memory :e0 25 7f ff ff ff 0f 22 e0 0d 80 00 00 00 0f 22 e0 c3
 verdict = 1
 0x8083ab7a (section .text)  1 byte(s):  exclusion filter: KeFlushCurrentTb() [c3->00]
 file  :c3
 memory :00
 verdict = 1
 0x8083b0e7 (section .text) [RtlPrefetchMemoryNonTempo
 file  :c3
 memory :90
 verdict = 1
 0x8083fcb0 [KiServiceTable[13]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a86d648 DOES NOT belong to ANY MODULE!
 file  :78 3f 9a 80
 memory :48 d6 86 8a
 verdict = 5
 0x8083fcb4 [KiServiceTable[14]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a8266a0 DOES NOT belong to ANY MODULE!
 file  :2d 93 91 80
 memory :a0 66 82 8a
 verdict = 5
 0x8083fcc4 [KiServiceTable[18]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a7c4468 DOES NOT belong to ANY MODULE!
 file  :2b 2d 85 80
 memory :68 44 7c 8a
 verdict = 5
 0x8083fce8 [KiServiceTable[27]]  4 byte(s):
 KiServiceTable HOOK:
 address 0xf744d818 is inside d347bus.sys module [0xf7440000-0xf7466000]
 target module path: d347bus.sys
 file  :ce ae 92 80
 memory :18 d8 44 f7
 verdict = 2
 0x8083fd28 [KiServiceTable[43]]  4 byte(s):
 KiServiceTable HOOK:
 address 0xb9e6d330 is inside SYMEVENT.SYS module [0xb9e59000-0xb9e79000]
 target module path: \??\C:\WINDOWS\system32\Dr
 file  :9f f6 93 80
 memory :30 d3 e6 b9
 verdict = 2
 0x8083fd30 [KiServiceTable[45]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a86d3f8 DOES NOT belong to ANY MODULE!
 file  :50 1b 94 80
 memory :f8 d3 86 8a
 verdict = 5
 0x8083fd38 [KiServiceTable[47]]  4 byte(s):
 KiServiceTable HOOK:
 address 0xf7441a20 is inside d347bus.sys module [0xf7440000-0xf7466000]
 target module path: d347bus.sys
 file  :73 c6 8c 80
 memory :20 1a 44 f7
 verdict = 2
 0x8083fd58 [KiServiceTable[55]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a7e6648 DOES NOT belong to ANY MODULE!
 file  :51 58 91 80
 memory :48 66 7e 8a
 verdict = 5
 0x8083fda8 [KiServiceTable[75]]  4 byte(s):
 KiServiceTable HOOK:
 address 0xf74422a8 is inside d347bus.sys module [0xf7440000-0xf7466000]
 target module path: d347bus.sys
 file  :5d fc 93 80
 memory :a8 22 44 f7
 verdict = 2
 0x8083fdb0 [KiServiceTable[77]]  4 byte(s):
 KiServiceTable HOOK:
 address 0xf744d910 is inside d347bus.sys module [0xf7440000-0xf7466000]
 target module path: d347bus.sys
 file  :20 00 94 80
 memory :10 d9 44 f7
 verdict = 2
 0x8083fdd8 [KiServiceTable[87]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a824af0 DOES NOT belong to ANY MODULE!
 file  :10 41 85 80
 memory :f0 4a 82 8a
 verdict = 5
 0x8083fdf0 [KiServiceTable[93]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a86d4c8 DOES NOT belong to ANY MODULE!
 file  :5d d2 90 80
 memory :c8 d4 86 8a
 verdict = 5
 0x8083fdf8 [KiServiceTable[95]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a86d588 DOES NOT belong to ANY MODULE!
 file  :5f 0f 91 80
 memory :88 d5 86 8a
 verdict = 5
 0x8083fe40 [KiServiceTable[113]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a885828 DOES NOT belong to ANY MODULE!
 file  :76 16 93 80
 memory :28 58 88 8a
 verdict = 5
 0x8083fe5c [KiServiceTable[120]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a86d338 DOES NOT belong to ANY MODULE!
 file  :46 48 93 80
 memory :38 d3 86 8a
 verdict = 5
 0x8083fe70 [KiServiceTable[125]]  4 byte(s):
 KiServiceTable HOOK:
 address 0xb9e6d8c0 is inside SYMEVENT.SYS module [0xb9e59000-0xb9e79000]
 target module path: \??\C:\WINDOWS\system32\Dr
 file  :b7 e0 93 80
 memory :c0 d8 e6 b9
 verdict = 2
 0x8083fe80 [KiServiceTable[129]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a83da50 DOES NOT belong to ANY MODULE!
 file  :03 4b 93 80
 memory :50 da 83 8a
 verdict = 5
 0x8083fe98 [KiServiceTable[135]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a9634d8 DOES NOT belong to ANY MODULE!
 file  :5c d8 91 80
 memory :d8 34 96 8a
 verdict = 5
 0x8083feb8 [KiServiceTable[143]]  4 byte(s):
 KiServiceTable HOOK:
 address 0xba26b280 is inside wpsdrvnt.sys module [0xba266000-0xba274000]
 target module path: \??\C:\WINDOWS\system32\dr
 file  :8c 10 94 80
 memory :80 b2 26 ba
 verdict = 2
 0x8083fed0 [KiServiceTable[149]]  4 byte(s):
 KiServiceTable HOOK:
 address 0xf71d77b0 is inside SysPlant.sys module [0xf71d3000-0xf71ef000]
 target module path: SysPlant.sys
 file  :34 0f 94 80
 memory :b0 77 1d f7
 verdict = 2
 0x8083ff18 [KiServiceTable[167]]  4 byte(s):
 KiServiceTable HOOK:
 address 0xf74422c8 is inside d347bus.sys module [0xf7440000-0xf7466000]
 target module path: d347bus.sys
 file  :21 f3 93 80
 memory :c8 22 44 f7
 verdict = 2
 0x8083ff60 [KiServiceTable[185]]  4 byte(s):
 KiServiceTable HOOK:
 address 0xf744d866 is inside d347bus.sys module [0xf7440000-0xf7466000]
 target module path: d347bus.sys
 file  :7e cb 93 80
 memory :66 d8 44 f7
 verdict = 2
 0x8083ffd4 [KiServiceTable[214]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a821820 DOES NOT belong to ANY MODULE!
 file  :6b 5e 91 80
 memory :20 18 82 8a
 verdict = 5
 0x8083fff0 [KiServiceTable[221]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a963418 DOES NOT belong to ANY MODULE!
 file  :1a 41 8f 80
 memory :18 34 96 8a
 verdict = 5
 0x80840030 [KiServiceTable[237]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a869860 DOES NOT belong to ANY MODULE!
 file  :39 b6 91 80
 memory :60 98 86 8a
 verdict = 5
 0x80840034 [KiServiceTable[238]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a7c1460 DOES NOT belong to ANY MODULE!
 file  :6a 73 92 80
 memory :60 14 7c 8a
 verdict = 5
 0x80840064 [KiServiceTable[250]]  4 byte(s):
 KiServiceTable HOOK:
 address 0xf744d0b0 is inside d347bus.sys module [0xf7440000-0xf7466000]
 target module path: d347bus.sys
 file  :80 f3 9c 80
 memory :b0 d0 44 f7
 verdict = 2
 0x80840094 [KiServiceTable[262]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a86d278 DOES NOT belong to ANY MODULE!
 file  :bd 3e 9a 80
 memory :78 d2 86 8a
 verdict = 5
 0x80840098 [KiServiceTable[263]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a8267a8 DOES NOT belong to ANY MODULE!
 file  :8e 43 8f 80
 memory :a8 67 82 8a
 verdict = 5
 0x808400a4 [KiServiceTable[266]]  4 byte(s):
 KiServiceTable HOOK:
 address 0xb9e18f20 is inside SASKUTIL.sys module [0xb9e10000-0xb9e31000]
 target module path: \??\C:\Program Files\SUPERAntiSpyware\SAS
 file  :8d 28 91 80
 memory :20 8f e1 b9
 verdict = 2
 0x808400a8 [KiServiceTable[267]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a7c13a0 DOES NOT belong to ANY MODULE!
 file  :6b 1b 92 80
 memory :a0 13 7c 8a
 verdict = 5
 0x808400d0 [KiServiceTable[277]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a86a218 DOES NOT belong to ANY MODULE!
 file  :b2 36 93 80
 memory :18 a2 86 8a
 verdict = 5
 0x808400f8 [KiServiceTable[287]]  4 byte(s):
 KiServiceTable HOOK:
 address 0x8a824bc0 DOES NOT belong to ANY MODULE!
 file  :89 a9 91 80
 memory :c0 4b 82 8a
 verdict = 5
module ntoskrnl.exe: end of details
ntdll.dll       (7c800000 - 7c8c0000)... innocent hooking (verdict = 2).
module ntdll.dll [0x7c800000 - 0x7c8c0000]:
 0x7c8211fd (section .text) [NtCreateFile()+5]  5 byte(s):
 JMPing code (jmp to: 0x617752cb)
 address 0x617752cb is inside SYSFER.DLL module [0x61750000-0x617b2000]
 target module path: C:\WINDOWS\SYSTEM32\SYSFER
 file  :ba 00 03 fe 7f
 memory :e9 ce 40 f5 e4
 verdict = 2
 0x7c82123d (section .text) [NtCreateKey()+5]  5 byte(s):
 JMPing code (jmp to: 0x61775305)
 address 0x61775305 is inside SYSFER.DLL module [0x61750000-0x617b2000]
 target module path: C:\WINDOWS\SYSTEM32\SYSFER
 file  :ba 00 03 fe 7f
 memory :e9 c8 40 f5 e4
 verdict = 2
 0x7c8212fd (section .text) [NtCreateThread()+5]  5 byte(s):
 JMPing code (jmp to: 0x6177533f)
 address 0x6177533f is inside SYSFER.DLL module [0x61750000-0x617b2000]
 target module path: C:\WINDOWS\SYSTEM32\SYSFER
 file  :ba 00 03 fe 7f
 memory :e9 42 40 f5 e4
 verdict = 2
 0x7c82139d (section .text) [NtDeleteFile()+5]  5 byte(s):
 JMPing code (jmp to: 0x61775379)
 address 0x61775379 is inside SYSFER.DLL module [0x61750000-0x617b2000]
 target module path: C:\WINDOWS\SYSTEM32\SYSFER
 file  :ba 00 03 fe 7f
 memory :e9 dc 3f f5 e4
 verdict = 2
 0x7c8213cd (section .text) [NtDeleteValueKey()+5]  5 byte(s):
 JMPing code (jmp to: 0x617753b3)
 address 0x617753b3 is inside SYSFER.DLL module [0x61750000-0x617b2000]
 target module path: C:\WINDOWS\SYSTEM32\SYSFER
 file  :ba 00 03 fe 7f
 memory :e9 e6 3f f5 e4
 verdict = 2
 0x7c82169d (section .text) [NtMapViewOfSection()+5]  5 byte(s):
 JMPing code (jmp to: 0x617753ed)
 address 0x617753ed is inside SYSFER.DLL module [0x61750000-0x617b2000]
 target module path: C:\WINDOWS\SYSTEM32\SYSFER
 file  :ba 00 03 fe 7f
 memory :e9 50 3d f5 e4
 verdict = 2
 0x7c82172d (section .text) [NtOpenFile()+5]  5 byte(s):
 JMPing code (jmp to: 0x61775427)
 address 0x61775427 is inside SYSFER.DLL module [0x61750000-0x617b2000]
 target module path: C:\WINDOWS\SYSTEM32\SYSFER
 file  :ba 00 03 fe 7f
 memory :e9 fa 3c f5 e4
 verdict = 2
 0x7c82175d (section .text) [NtOpenKey()+5]  5 byte(s):
 JMPing code (jmp to: 0x61775461)
 address 0x61775461 is inside SYSFER.DLL module [0x61750000-0x617b2000]
 target module path: C:\WINDOWS\SYSTEM32\SYSFER
 file  :ba 00 03 fe 7f
 memory :e9 04 3d f5 e4
 verdict = 2
 0x7c821c0d (section .text) [NtRenameKey()+5]  5 byte(s):
 JMPing code (jmp to: 0x6177549b)
 address 0x6177549b is inside SYSFER.DLL module [0x61750000-0x617b2000]
 target module path: C:\WINDOWS\SYSTEM32\SYSFER
 file  :ba 00 03 fe 7f
 memory :e9 8e 38 f5 e4
 verdict = 2
 0x7c821e1d (section .text) [NtSetInformationFile()+5]
 JMPing code (jmp to: 0x617754d5)
 address 0x617754d5 is inside SYSFER.DLL module [0x61750000-0x617b2000]
 target module path: C:\WINDOWS\SYSTEM32\SYSFER
 file  :ba 00 03 fe 7f
 memory :e9 b8 36 f5 e4
 verdict = 2
 0x7c821f8d (section .text) [NtSetValueKey()+5]  5 byte(s):
 JMPing code (jmp to: 0x6177550f)
 address 0x6177550f is inside SYSFER.DLL module [0x61750000-0x617b2000]
 target module path: C:\WINDOWS\SYSTEM32\SYSFER
 file  :ba 00 03 fe 7f
 memory :e9 82 35 f5 e4
 verdict = 2
 0x7c82202d (section .text) [NtTerminateProcess()+5]  5 byte(s):
 JMPing code (jmp to: 0x61775549)
 address 0x61775549 is inside SYSFER.DLL module [0x61750000-0x617b2000]
 target module path: C:\WINDOWS\SYSTEM32\SYSFER
 file  :ba 00 03 fe 7f
 memory :e9 1c 35 f5 e4
 verdict = 2
module ntdll.dll: end of details
SYSTEM INFECTION LEVEL: 5
  0 - BLUE
  1 - GREEN
  2 - YELLOW
  3 - ORANGE
  4 - RED
--> 5 - DEEPRED
SUSPECTED modifications detected. System is probably infected!
rootkit-revealer.bmp
gmer.log
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sorry, I have refereed to the server as a DC but just re-read your post and you don;t say it is a DC - the above still mostly applies though.
ASKER
I should have specified earlier that I am the new sys admin for this company, and am willing to do whatever it takes to renew the integrity of their systems. Problem is that we are looking at basically reformatting the DC and all of the workstations. Then there is the question of what was compromised, the level of access for the rootkit(s) and whether any of their data has been compromised.
I also read it as a Domain Controller from the subject line. And definitely, an engagement with a security consulting firm to do a thorough audit should be done.
You should also consider installing an IPS or at the least and IDS at appropriate points to identify any unusual traffic.
You should also consider installing an IPS or at the least and IDS at appropriate points to identify any unusual traffic.
ASKER
I have ran some tests on the workstations and it appears as though the workstations have rootkits as well considering that I am gettings the same returns with the same scans on various scans. rootkit revealer wont run, gmer has some reports of infected files and virginty verifier show deepred ntoskrnl.exe so the plan is to rebuild the domain controller with a fresh image, and all of the workstations as well. All port forwarding has been stoped, a snort box will be put in place, all passwords will be changed, the wireless router will be replaced WEP -> WPA 2 AES, and some user education is due in the near future
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Having said that, given the SANS time-to-live stats, any unpatched Windows system exposed to the wild is almost guaranteed to be infected with something. The alarm for ntoskrnl.exe is disturbing, and if I were responsible for the system, I'd be taking it offline immediately, even if it incurs downtime on the network, since user's credentials are now potentially compromised. I would not have any faith in the DC backup images, since it's difficult to tell how long it's been compromised.
I'd re-deploy the DCs from a virgin image, and force users to change passwords at next login.
If in fact the DCs are exposed to the Internet, I'd be suggesting a network re-design.
Clearly, system and patch management needs to be addressed as well, along with some education for the administrators of the system.