Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: NKADM rootkit - Something new?
From: Brian Eckman <eckman () umn edu>
Date: Wed, 26 May 2004 09:54:51 -0500
Jeremy Pollack wrote:


Has anyone seen this NKADM rootkit? Four of the servers here were exploited at some point in the past 30 days and have 
been  running this combination rootkit+ftp server. My searches have not hit anything. I definitely do not have a full 
picture of the whole thing yet, but what I do know is:



<snip bunch of stuff>


NKADM.INI

[Hidden Table]
nkadm*
slimftpd.conf
slimftpd.log

[Root Processes]
nkadm*
ioA.exe
ioGroups.exe
ioLimitTransfers.exe
ioUptime.exe
ioZS.exe
ioNewDay.exe
SiteWho.exe

[Hidden Services]
nkserv*
nkadm*
[Hidden RegKeys] 
nkadm*
NKADM*
LEGACY_NKADM*
[Hidden RegValues] [Startup Run] 

[Free Space]

[Hidden Ports]
TCP:4420,4421,4422,4423,4424,4425,4426,4427,4428,4429,7117,7116,20200,20201,20202,20203,20204,20205,20206,20207,20208,20209,20210,20211,20212,20213,20214,20215,20216,20217,20218,20219,20220
[Settings] Password=pr3ssF1 
BackdoorShell=nkadmß$.exe
FileMappingName=nkfolderrun
ServiceName=nkadmhxdef100
Se|rviceDisplayName=Backup Service
ServiceDescription=Makes the Cow go M00
DriverName=nkadmhxdefdrv100
DriverFileName=nkadmdriver.sys


<more snippage>

Looks just like Hacker Defender to me. http://hxdef.czweb.org/

Brian
--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]