Re: Windows 2k rootkit incident, files zipped for your pleasure.

[Karl Larsson <karl.larsson () cellnetwork com>]

In-Reply-To: <5.2.0.9.2.20030612105515.020e77b8@localhost>

Hi,

Isn't this Hacker Defender v0.7.3 with modificated filenames and some 
utils added? The syntax of *.ini is exactly the same anyway....

Cheers,
Kalle




> If you don't mind me asking... how did you identify these files (eg. 
what 
> tools, etc).
>
> I have a Windows hard drive that was rooted, and I've found some of the 
> files from Linux (only having basic unix skills, I wouldn't know how to 
go 
> too much farther), but I've been unable to find all of them.  I would 
> dearly love to find the install/original file, but in the mean time I 
would 
> settle for the ini/config files which might tell me if I have missed any 
of 
> the others.  The root kit has elements of the Hacker Defender rootkit, 
but 
> seems to have gone even farther.
>
> Yours,
>
> John
>
>
> At 11:57 AM 6/12/2003 -0400, Drew Weaver wrote:
> >     Hi, with the help or Karl Levinson I was able to detect the 
presence of
> > a rootkit on one of my windows 2000 servers, I was able to grab the 
files
> > and zip them, so maybe we can watch for this stuff in the future, im not
> > sure if this rootkit has a particular name or what/not, you can get the
> > files here:
> >
> > http://www.soul-fu.com/beenhaxxored.zip
> >
> > Thanks Karl.
> >
> > -Drew
> >
> >
> > ------------------------------------------------------------------------
----
> > ------------------------------------------------------------------------
----
> -------------------------------------------------
> John Ives, GCWN
> Systems Administrator
> College of Chemistry
> (510) 643-1033
>
> "If you spend more on coffee than on IT security,  Then you will be 
hacked. 
> What's more,  you deserve to be hacked."   - Richard Clarke
>
> Any opinions expressed are my own and not those of the Regents of the 
> University of California. 
>
>
> -------------------------------------------------------------------------
---
> -------------------------------------------------------------------------
---
>

----------------------------------------------------------------------------
----------------------------------------------------------------------------