| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 19 Oct 2004 13:12:35 +0200 From: Andres Tarasco <atarasco@....es> To: "'bugtraq@...urityfocus.com'" <bugtraq@...urityfocus.com> Cc: "'pen-test@...urityfocus.com'" <pen-test@...urityfocus.com>, "'full-disclosure@...ts.netsys.com'" <full-disclosure@...ts.netsys.com>, "'submissions@...ketstormsecurity.org'" <submissions@...ketstormsecurity.org>, "'news@...uriteam.com'" <news@...uriteam.com>, "'dsr@...tas.rs-labs.com'" <dsr@...tas.rs-labs.com>, "'vuln@...urity.nnov.ru'" <vuln@...urity.nnov.ru>, "'hacking@...o.es'" <hacking@...o.es> Subject: Remote Rootkit Scanner for Windows Hacker defender is a rootkit that is being highly deployed by Hackers in compromised box in the last months. Due to a design Flaw its possible to remotely detect if an NT based computer is "infected" with this rootkit. Rkdscan was developed to check for this flaw, performing a network scan and after sending some data to open ports is able to detect if the remote box have been compromised. Usage: C:\rkdscan>rkdscan.exe xx.yy.0.0 xx.yy.10.0 Remote hxdef Scanner $Revision: 1.0 $ atarasco_@...a.es http://www.siainternational.com [+] Targets: xx.yy.0.0-xx.yy.10.0 with 150 Threads + xx.yy.0.1 + xx.yy.1.1 Checking xx.yy.1.5 port: 3389... Checking xx.yy.1.17 port: 3389... Checking xx.yy.1.17 port: 21... Checking xx.yy.1.30 port: 3389... Checking xx.yy.1.7 port: 21... Checking xx.yy.1.20 port: 21... Checking xx.yy.1.22 port: 1025... [+] IP: xx.yy.1.22 port: 1025 INFECTED with HACKER Defender v0.84 - v1.0.0 Checking xx.yy.1.66 port: 1025... Checking xx.yy.1.25 port: 21... [+] IP: xx.yy.1.66 port: 1025 INFECTED with HACKER Defender v0.84 - v1.0.0 Checking xx.yy.1.65 port: 3389... Checking xx.yy.1.47 port: 3389... Checking xx.yy.1.52 port: 7... [+] IP: xx.yy.1.52 port: 7 INFECTED with HACKER DEFENDER v0.82 - 0.83 Checking xx.yy.1.90 port: 3389... Checking xx.yy.1.101 port: 3389... Checking xx.yy.1.96 port: 3389... Checking xx.yy.1.97 port: 3389... Checking xx.yy.1.94 port: 7... Checking xx.yy.1.94 port: 80... [+] IP: xx.yy.1.94 port: 80 INFECTED with HACKER Defender v0.84 - v1.0.0 Checking xx.yy.1.109 port: 3389... Checking xx.yy.1.98 port: 3389... Checking xx.yy.1.21 port: 25... Checking xx.yy.1.116 port: 21... attached in this e-mail is a zip file with both source and binary files rkdscan.c md5sum: a24c0d9f35ccaa07efa8a291476a8a4d rkdscan.exe md5sum: 229fd4a1df6d76c799c9b059519f204a (compiled with Bc++ Builder) rkdscan.zip md5sum: bb653a41e757b9762070bcd1ec082e5e Special Thanks for Javier Olascoaga ( jolascoaga[at]sia.es ) for the development of a nasl/nessus script. Andrés Tarascó Acuña Security Consultant - Tiger Team Departamento de Consultoría Grupo SIA Avenida de Europa Nº 2. Alcor Plaza Edificio B. Parque Oeste Alcorcon. 28.922. Madrid *Tel.: +34 902 480 580 * Fax: +34 91 307 79 80 atarasco_@...a.es <www.sia.es> <<rkdscan.zip>> <<hacker_defender.nasl>> Content of type "text/html" skipped Download attachment "rkdscan.zip" of type "application/octet-stream" (43742 bytes) Download attachment "hacker_defender.nasl" of type "application/octet-stream" (2355 bytes)
Powered by blists - more mailing lists