| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <F224FBA669BC42488E34CF105B4DD54D03024DBF@intramail> From: atarasco at sia.es (Andres Tarasco) Subject: Remote Rootkit Scanner for Windows Hacker defender is a rootkit that is being highly deployed by Hackers in compromised box in the last months. Due to a design Flaw its possible to remotely detect if an NT based computer is "infected" with this rootkit. Rkdscan was developed to check for this flaw, performing a network scan and after sending some data to open ports is able to detect if the remote box have been compromised. Usage: C:\rkdscan>rkdscan.exe xx.yy.0.0 xx.yy.10.0 Remote hxdef Scanner $Revision: 1.0 $ atarasco_@...a.es http://www.siainternational.com [+] Targets: xx.yy.0.0-xx.yy.10.0 with 150 Threads + xx.yy.0.1 + xx.yy.1.1 Checking xx.yy.1.5 port: 3389... Checking xx.yy.1.17 port: 3389... Checking xx.yy.1.17 port: 21... Checking xx.yy.1.30 port: 3389... Checking xx.yy.1.7 port: 21... Checking xx.yy.1.20 port: 21... Checking xx.yy.1.22 port: 1025... [+] IP: xx.yy.1.22 port: 1025 INFECTED with HACKER Defender v0.84 - v1.0.0 Checking xx.yy.1.66 port: 1025... Checking xx.yy.1.25 port: 21... [+] IP: xx.yy.1.66 port: 1025 INFECTED with HACKER Defender v0.84 - v1.0.0 Checking xx.yy.1.65 port: 3389... Checking xx.yy.1.47 port: 3389... Checking xx.yy.1.52 port: 7... [+] IP: xx.yy.1.52 port: 7 INFECTED with HACKER DEFENDER v0.82 - 0.83 Checking xx.yy.1.90 port: 3389... Checking xx.yy.1.101 port: 3389... Checking xx.yy.1.96 port: 3389... Checking xx.yy.1.97 port: 3389... Checking xx.yy.1.94 port: 7... Checking xx.yy.1.94 port: 80... [+] IP: xx.yy.1.94 port: 80 INFECTED with HACKER Defender v0.84 - v1.0.0 Checking xx.yy.1.109 port: 3389... Checking xx.yy.1.98 port: 3389... Checking xx.yy.1.21 port: 25... Checking xx.yy.1.116 port: 21... attached in this e-mail is a zip file with both source and binary files rkdscan.c md5sum: a24c0d9f35ccaa07efa8a291476a8a4d rkdscan.exe md5sum: 229fd4a1df6d76c799c9b059519f204a (compiled with Bc++ Builder) rkdscan.zip md5sum: bb653a41e757b9762070bcd1ec082e5e Special Thanks for Javier Olascoaga ( jolascoaga[at]sia.es ) for the development of a nasl/nessus script. Andr?s Tarasc? Acu?a Security Consultant - Tiger Team Departamento de Consultor?a Grupo SIA Avenida de Europa N? 2. Alcor Plaza Edificio B. Parque Oeste Alcorcon. 28.922. Madrid *Tel.: +34 902 480 580 * Fax: +34 91 307 79 80 atarasco_@...a.es <www.sia.es> <<rkdscan.zip>> <<hacker_defender.nasl>> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041019/c3c2d0b2/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: rkdscan.zip Type: application/octet-stream Size: 43742 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041019/c3c2d0b2/rkdscan.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: hacker_defender.nasl Type: application/octet-stream Size: 2354 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041019/c3c2d0b2/hacker_defender.obj
Powered by blists - more mailing lists