Security Incidents mailing list archives
Re: Re: NKADM rootkit
From: Jeremy Pollack <jpollack2 () cox net>
Date: Wed, 26 May 2004 12:43:31 -0400
Thank you all for the feedback. I downloaded the Hacker Defender and, after telling Symantec to ignore it, I'll take a look at it.
From: Brian Eckman <eckman () umn edu> Date: 2004/05/26 Wed AM 10:54:51 EDT To: incidents () securityfocus com Subject: Re: NKADM rootkit - Something new? Jeremy Pollack wrote:Has anyone seen this NKADM rootkit? Four of the servers here were exploited at some point in the past 30 days and have been running this combination rootkit+ftp server. My searches have not hit anything. I definitely do not have a full picture of the whole thing yet, but what I do know is:<snip bunch of stuff>NKADM.INI [Hidden Table] nkadm* slimftpd.conf slimftpd.log [Root Processes] nkadm* ioA.exe ioGroups.exe ioLimitTransfers.exe ioUptime.exe ioZS.exe ioNewDay.exe SiteWho.exe [Hidden Services] nkserv* nkadm* [Hidden RegKeys] nkadm* NKADM* LEGACY_NKADM* [Hidden RegValues] [Startup Run] [Free Space] [Hidden Ports] TCP:4420,4421,4422,4423,4424,4425,4426,4427,4428,4429,7117,7116,20200,20201,20202,20203,20204,20205,20206,20207,20208,20209,20210,20211,20212,20213,20214,20215,20216,20217,20218,20219,20220 [Settings] Password=pr3ssF1 BackdoorShell=nkadmß$.exe FileMappingName=nkfolderrun ServiceName=nkadmhxdef100 Se|rviceDisplayName=Backup Service ServiceDescription=Makes the Cow go M00 DriverName=nkadmhxdefdrv100 DriverFileName=nkadmdriver.sys<more snippage> Looks just like Hacker Defender to me. http://hxdef.czweb.org/ Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota
Current thread:
- Re: Re: NKADM rootkit Jeremy Pollack (May 26)
- Re: NKADM rootkit Harlan Carvey (May 26)
- <Possible follow-ups>
- Re: Re: NKADM rootkit soccer4net () netzero com (May 27)