Security Incidents mailing list archives
Re: NKADM rootkit - Something new?
From: Harlan Carvey <keydet89 () yahoo com>
Date: Wed, 26 May 2004 09:32:00 -0700 (PDT)
This is an excellent example of what happens when you take the easy route and look at something (particularly on Windows systems) based on filenames or open ports...both are configurable in most cases. --- Brian Eckman <eckman () umn edu> wrote:
Jeremy Pollack wrote:Has anyone seen this NKADM rootkit? Four of theservers here were exploited at some point in the past 30 days and have been running this combination rootkit+ftp server. My searches have not hit anything. I definitely do not have a full picture of the whole thing yet, but what I do know is: <snip bunch of stuff>NKADM.INI [Hidden Table] nkadm* slimftpd.conf slimftpd.log [Root Processes] nkadm* ioA.exe ioGroups.exe ioLimitTransfers.exe ioUptime.exe ioZS.exe ioNewDay.exe SiteWho.exe [Hidden Services] nkserv* nkadm* [Hidden RegKeys] nkadm* NKADM* LEGACY_NKADM* [Hidden RegValues] [Startup Run] [Free Space] [Hidden Ports]
TCP:4420,4421,4422,4423,4424,4425,4426,4427,4428,4429,7117,7116,20200,20201,20202,20203,20204,20205,20206,20207,20208,20209,20210,20211,20212,20213,20214,20215,20216,20217,20218,20219,20220
[Settings] Password=pr3ssF1 BackdoorShell=nkadmß$.exe FileMappingName=nkfolderrun ServiceName=nkadmhxdef100 Se|rviceDisplayName=Backup Service ServiceDescription=Makes the Cow go M00 DriverName=nkadmhxdefdrv100 DriverFileName=nkadmdriver.sys<more snippage> Looks just like Hacker Defender to me. http://hxdef.czweb.org/ Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota
Current thread:
- NKADM rootkit - Something new? Jeremy Pollack (May 26)
- Re: NKADM rootkit - Something new? Brian Eckman (May 26)
- Re: NKADM rootkit - Something new? Harlan Carvey (May 26)
- Re: NKADM rootkit - Something new? Paul Schmehl (May 26)
- Re: NKADM rootkit - Something new? Paul Schmehl (May 27)
- Re: NKADM rootkit - Something new? Robert P. McKenzie (May 27)
- Re: NKADM rootkit - Something new? Pho Man (May 27)
- Re: NKADM rootkit - Something new? Harlan Carvey (May 27)
- RE: NKADM rootkit - Something new? Don Wolf (May 28)
- RE: NKADM rootkit - Something new? Harlan Carvey (May 28)
- Re: NKADM rootkit - Something new? Gadi Evron (May 31)
- Re: NKADM rootkit - Something new? Harlan Carvey (May 26)
- Re: NKADM rootkit - Something new? Brian Eckman (May 26)
- Re: NKADM rootkit - Something new? InfoSec (May 27)
- RE: NKADM rootkit - Something new? Dave Paris (May 28)