Hi
somebody know a good anti rootkit detector ??
i google and found

Rootkit Detector Profesional 2004 v0.62
Rootkit Detector Profesional 2004
Programmed by Andres Tarasco Acuna
Copyright © 2004 - 3wdesign Security
Url: http://www.3wdesign.es

very good program and it founds a rootkit on my remote box but if i stops the service from the rootkit it is allwaystill hide (rootkits-prozess, service and regkey entries)

look @ results

[code]. .. ...: Rootkit Detector Profesional 2004 v0.62 :... .. .
Rootkit Detector Profesional 2004
Programmed by Andres Tarasco Acuna
Copyright © 2004 - 3wdesign Security
Url: http://www.3wdesign.es


-Gathering Service list Information... ( Found: 256 services )
-Gathering process List Information... ( Found: 32 process )
-Searching for Hidden process Handles. ( Found: 0 Hidden Process )
-Checking Visible Process.............
c:\winnt\system32\smss.exe
c:\winnt\system32\csrss.exe
c:\winnt\system32\winlogon.exe
c:\winnt\system32\lsass.exe
c:\winnt\system32\dllhost.exe
c:\winnt\system32\termsrv.exe
c:\winnt\system32\svchost.exe
c:\winnt\system32\msdtc.exe
c:\progra~1\navnt\vptray.exe
c:\winnt\system32\svchost.exe
c:\imail\iwebcal.exe
c:\imail\iwebmsg.exe
c:\progra~1\micros~3\mssql\binn\sqlservr.exe
c:\program files\persits software\aspemail\bin\emailagent.exe
c:\imail\pop3d32.exe
c:\winnt\system32\mstask.exe
c:\imail\smtpd32.exe
c:\winnt\system32\wbem\winmgmt.exe
c:\winnt\system32\inetsrv\inetinfo.exe
c:\program files\navnt\rtvscan.exe
c:\winnt\system32\msgsys.exe
c:\winnt\system32\dllhost.exe
c:\progra~1\micros~3\mssql\binn\sqlagent.exe
c:\winnt\system32\winlogon.exe
c:\winnt\explorer.exe
c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
c:\rkdetector.exe
c:\winnt\system32\csrss.exe
c:\winnt\system32\cmd.exe
c:\winnt\system32\rdpclip.exe
-Searching again for Hidden Services..
-Gathering Service list Information... ( Found: 0 Hidden Services)
-Searching for wrong Service Paths.... ( Found: 24 wrong Services )
-------------------------------------------------------------------------------
*SV: Alerter (Alerter) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: AppMgmt (Application Management) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: Browser (Computer Browser) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: Dhcp (DHCP Client) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: dmserver (Logical Disk Manager) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: Dnscache (DNS Client) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: Eventlog (Event Log) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: HackerDefenderDrv084 (HackerDefenderDrv084) PATH: c:\winnt\system32\temps\tmp\hxdefdrv.sys
-------------------------------------------------------------------------------
*SV: lanmanserver (Server) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: lanmanworkstation (Workstation) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: LmHosts (TCP/IP NetBIOS Helper Service) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: Messenger (Messenger) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: PlugPlay (Plug and Play) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: ProtectedStorage (Protected Storage) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: seclogon (RunAs Service) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: TrkSvr (Distributed Link Tracking Server) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: TrkWks (Distributed Link Tracking Client) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: W32Time (Windows Time) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
*SV: Wmi (Windows Management Instrumentation Driver Extensions) PATH: c:\winnt\system32\services.exe
-------------------------------------------------------------------------------
-Searching for Rootkit Modules........ ( Found: 0 Suspicious modules )
-Trying to detect hxdef with TCP data..( Found: 0 running rootkits)
-Searching for hxdef hooks............ ( Found: 1 running rootkits)
-------------------------------------------------------------------------------
*ROOTKIT HACKER DEFENDER >= v0.82 FOUND. Path not available

i stops the rootkit service but i dont come in the path (c:\winnt\system32\temps\tmp) Win2k says "nothing found"

i run norton anti viru but it found nothing

Yes, Hackerdefender makes the folder virtually non-existent. That is why c:\winnt\system32\temps\tmp couldn't be found. If the folder "dosen't exist".. then its quite obvious the a/v scanner cannot scan it ... Unless the hexdef.ini file or the client backdoor is detected by an antivirus, the rest of the files can't be found..

there was a tool on rootkit.com , i think it was called "WISE" .. not too sure.. cannnot verify as the site is down rite now..

Rootkitdetector 0.62 <-- that was posted on gso, but i think its in the "Member only" file download section ..

The best solution would be to reformat...

boot into dos and take it out. Or a live distro of linux (knoppix)

I think those detectors must be banned from the internet... a rootkit is a method to hide stuff from other processes or users... This never ever may be broke by antything! It's a techonology

lol they must be
anyway as long as we boot in windows i think you are rightt they may never be broken
but we could add a few lines to the autoexec.bat to make sure our the system is clean like dir /s hxdef*.*

isn't it able to undetect rootkit with morphine or a simple hexeditor?

the detectors will always see the hooked api's.. you can try to hide common rootkit detectors in your rootkit configuration... that's what i do

A rootkit that is really undetectable is impossible, because somewhere in the kernel this hidden stuff must exist or it can't be used be root processes or somethink like that. The user mode rootkits like hxdef etc. are really easy to bypass just reload your common dlls or go to kernel mode. (There is also one possibillity for hxdef. hxdef only hooks APIs like CreateFile but not NtCreateFile directly so you can use this APIs and see everythink).

The hidden threads of the hidden process must exist in the kernel in a list are windows won't run this anymore. You can enumerate this list to see hidden threads/processes. You can use alternative NTFS drivers to see hidden files...

The rootkit detectors development is more sophisticated than the rootkits development. The detectors can detect more than there is implemented in rootkits at the moment.

So you can make it hard to find the stuff but not impossible

can you tell us the names of the files that needs to be hidden?

HI,

HXD cant hide Processes through Netbios .....

Connect to remote Box with Dameware ... search the Services ... and remember the name of tHe HXD exe file ...

Then use a simple FTP server ... (for those things i use serv-u 2.5 ) and name the exe of the ftp server the same as the rootkit exe ...
Then execute.... and connect ..... you´ll see all the hidden dirs and so on ....

Now its easy to uninstall all the hidden services and the rootkit ..

winrar gives good browsing of a hdd to remove files/folders that are hidden but I would take r3L4x's advice and use a live linux cd to boot from and remove it that way.

also you can test the Security Taskmanager (you can find it easy with google)

he shows you hidden prozesses.

mfg
Memento

Open Ports v1.2 @ http://rootkit.host.sk

Detectcon by Kd-Team @ http://www.kd-team.com

enjoy ^^

I deleted somthing like this once..
just by using my cygwin installation.. SSH'ing to it.. and use rm filename .. pretty weird..
I think it somehow hooks some api calls.. and returns nothing back when it got the path of the rootkit?

Serhat

Sorry to ask this question, but i was just woundering, does anyone know any good sites for root kits or autoroot kits, and how would i go about rooting webdev? i've tried sql, i would like to know other ways and where i can get rootkits or autoroot kits or information about other rooting ways thanks, from a noobie<---------

Hi i have this program called

SQLScan v1.00
SQL "Slammer" worm scanner

how do i use it to get into peoples computers? is there a root kit or some thing of that sort for this. i got few results but i dont know what to do with it.

1. You don't rootkit any security hole, but the operating system
2. read rules



1. read rules
2. If the program is called "worm scanner", then it scans for worms, or am I wrong?

as far as I know the slammer have no backdoor, so i think its a Vuln Scanner for the old exploit or a removal tool:rolleyes:

Hi i was just woundering can someone give me links to sites where i can get some x-scan plugins? that would be wounderful if you can thanks alot.

teamcrunk, you not going to do any mad hacking with that shit. Go read a book. I recommend something along the lines of "The Internet for Seniors" I should be at your library. Was probably made in 1989.

If you want to actually learn something on the other hand instead of trying to break into something with a worm-vuln scanner (?), I'd recommend learning a couple programming languages and about TCP/IP

reading about programming languages and network protocols isnt gonna teach him anything about security, except for how to limit the amount of users that will connect to his 'server' programming example.

try fooling around with the tools and shit on the board, if you see any source code rls'd with it, check it out and expiriment with it.

http://d.hatena.ne.jp/tessy/20040202 ...

U should find you some good tutorials and learn from them. There is a reason that the term "Hacker" is not thrown around alot. Hacker refers to one who has mastered a technology so well that they can in fact outsmart that technology because in essence they are smarter than the technology thereof. They know the program's next move before it does.
Before breaking the technology, remember; you must first master it. This is why we learn programming, TCP/IP, and so on before hacking. I mean, you don't take the car to town before learning how to drive. Why should hacking be any different?

Well, with the emergence of automatics your analogy doesn't quite work. A damn 8 year old could drive an automatic, just like damn kiddies can exploit servers with no knowledge

Now everyone go buy a stick-shift, and kiddies stop calling yourself "hackers" cause you can use a public exploit

I am aware that there are alot of skiddies out there, but you have to remember; there are also people that are serious about learning the art.

VICE is the one you're looking for - remember it comes up with a load of false positives so don't panic when you see the initial results (MS hook their own stuff, for example).

Old thread, however whilst we'e on the subject: F-Secure's Blacklight doesn't look to be too bad at all.