[superba]

I have got a W2000 server with just two NTFS partitions that was attacked by a variant of (I think) fu rootkit. The only thing (I think!) I haven't been able to get rid of is a [temp] directory in d:\recycler ('access denied'). I can't even see what is in there.

Safe mode w/command prompt doesn't work. I've messed around with the permissions a bit--no soap there, either.

Since it's an NTFS system with RAID, I can't boot from Knoppix. Is there a safe way to boot to raw DOS in this system, without messing up the RAID and NTFS? Would you recommend--should I even worry about this? No other part of the infection was on that drive. It's quite possible that I have just bollocksed up the info2 file and that's why I can't empty the directory ...

A final question--do rootkits like fu rootkit commonly make use of alternate data streams, cloaked registry entries or any of this other freakish-sounding stuff that I have not detected? The registry is clean, TDS-3 is now clean, etc.

Basically, how paranoid should I be?

Thanks in advance (very much!) for your thoughts,

Maria.

[Advertisements]

too many questions....

yes, rootkits common make use of all of those....


you can boot to command line by choosing that option on the startup menu (tapping f8)

then delete the info2...refresh my memory....anyone...windows 2000 is c:\recycled or c:\recycler.....brain block at the moment and I don't have a win2000 machine around.

[gerryf]

too many questions....

yes, rootkits common make use of all of those....


you can boot to command line by choosing that option on the startup menu (tapping f8)

then delete the info2...refresh my memory....anyone...windows 2000 is c:\recycled or c:\recycler.....brain block at the moment and I don't have a win2000 machine around.

[Murray S.]

Howdy:

Took me a minute to recognize it again as well Gerry..

The "Recycler" folder is the Recycle Bin folder.. Access is normally denied to that folder..

Murray