Security Incidents mailing list archives
Re: NKADM rootkit - Something new?
From: Brian Eckman <eckman () umn edu>
Date: Wed, 26 May 2004 09:54:51 -0500
Jeremy Pollack wrote:
Has anyone seen this NKADM rootkit? Four of the servers here were exploited at some point in the past 30 days and have been running this combination rootkit+ftp server. My searches have not hit anything. I definitely do not have a full picture of the whole thing yet, but what I do know is:
<snip bunch of stuff>
NKADM.INI [Hidden Table] nkadm* slimftpd.conf slimftpd.log [Root Processes] nkadm* ioA.exe ioGroups.exe ioLimitTransfers.exe ioUptime.exe ioZS.exe ioNewDay.exe SiteWho.exe [Hidden Services] nkserv* nkadm*[Hidden RegKeys]nkadm* NKADM* LEGACY_NKADM*[Hidden RegValues] [Startup Run][Free Space] [Hidden Ports] TCP:4420,4421,4422,4423,4424,4425,4426,4427,4428,4429,7117,7116,20200,20201,20202,20203,20204,20205,20206,20207,20208,20209,20210,20211,20212,20213,20214,20215,20216,20217,20218,20219,20220[Settings] Password=pr3ssF1BackdoorShell=nkadmß$.exe FileMappingName=nkfolderrun ServiceName=nkadmhxdef100 Se|rviceDisplayName=Backup Service ServiceDescription=Makes the Cow go M00 DriverName=nkadmhxdefdrv100 DriverFileName=nkadmdriver.sys
<more snippage> Looks just like Hacker Defender to me. http://hxdef.czweb.org/ Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota
Current thread:
- NKADM rootkit - Something new? Jeremy Pollack (May 26)
- Re: NKADM rootkit - Something new? Brian Eckman (May 26)
- Re: NKADM rootkit - Something new? Harlan Carvey (May 26)
- Re: NKADM rootkit - Something new? Paul Schmehl (May 26)
- Re: NKADM rootkit - Something new? Paul Schmehl (May 27)
- Re: NKADM rootkit - Something new? Robert P. McKenzie (May 27)
- Re: NKADM rootkit - Something new? Pho Man (May 27)
- Re: NKADM rootkit - Something new? Harlan Carvey (May 27)
- RE: NKADM rootkit - Something new? Don Wolf (May 28)
- RE: NKADM rootkit - Something new? Harlan Carvey (May 28)
- Re: NKADM rootkit - Something new? Gadi Evron (May 31)
- Re: NKADM rootkit - Something new? Harlan Carvey (May 26)
- Re: NKADM rootkit - Something new? Brian Eckman (May 26)
- Re: NKADM rootkit - Something new? InfoSec (May 27)