well i know its lame, but i needed an ftp to test the exploit on, so why not pick a hacked 100mbit from someone I dislike...

The exploit works perfectly, gives you remote cmd.exe (remember to run it from a remote box, which has open incoming ports).

Now, I was quite surprised to find that the ftp has been so well hidden, that from a remote shell working through hxdef, I couldnt find the servu installation.

Eventually after using a file searching tool, i discovered some of the serv-u files, but what really surprised me, was that the UP and DOWN folders were apparently empty, yet the ftp was serving about 20gb of files.

I know hxdef wouldnt hide this from a remote shell, so what rootkit could this be??

Anyway, the exploit works frighteningly well, so im changing all my ftps to another less well known server.

Dont bother replying if only to flame me for rehacking.

The thread here is about what varieties of rootkit can hide files from remote shells and dameware (and how to remove them).

no flame here, if someone has weak enough passes or doesnt keep on top of things they're fair game.

there are a number of private rootkits, track that one down and post it

and what exploit did you use? the one by lion just crashes shit and the other one hasnt been ported to win32 yet.

i have post a win32 exploit code
but i think it is for chinese edition only
so if you want use you should change the offset

thanks for that stonebreaker, and cranky, you couldn't be righter.
We are the hunters. Fair game is plentyful.

No flame here either.. Thats how the game is being played

i used the servu exploit code posted on this website, it defnitely works (the one you need to compile using gcc).

i think there is a good opportunity to steal a lot of ftps in next few weeks, as most ppl are unaware of the severity of the exploit.

oh and in my search for the rootkit on this box, here's the service list:

Service Name Display Name Status
----------------------------------------------------------------------------
Alerter Alerter (RUNNING)
AlertManager Network Associates Alert Manager (RUNNING)
AppMgmt Application Management (STOPPED)
AspQmail AspQmail (RUNNING)
BITS Background Intelligent Transfer Service(RUNNING)
Browser Computer Browser (RUNNING)
cisvc Indexing Service (STOPPED)
ClipSrv ClipBook (STOPPED)
Dfs Distributed File System (RUNNING)
Dhcp DHCP Client (STOPPED)
dmadmin Logical Disk Manager Administrative Service(STOPPED)
dmserver Logical Disk Manager (RUNNING)
Dnscache DNS Client (RUNNING)
DWMRCS DameWare Mini Remote Control (STOPPED)
Eventlog Event Log (RUNNING)
EventSystem COM+ Event System (RUNNING)
Fax Fax Service (STOPPED)
FINGRD32 IMail FINGER Server (STOPPED)
IISADMIN IIS Admin Service (RUNNING)
ILDAP IMail LDAP Server (STOPPED)
IMAP4D32 IMail IMAP4 Server (STOPPED)
IMonitor IMail Monitor Service (STOPPED)
IsmServ Intersite Messaging (STOPPED)
IWebCal IMail Web Calendar Service (STOPPED)
IWEBMSG IMail Web Service (RUNNING)
kdc Kerberos Key Distribution Center (STOPPED)
lanmanserver Server (RUNNING)
lanmanworkstation Workstation (RUNNING)
LicenseService License Logging Service (STOPPED)
LiveStats LiveStats Reporting Server (RUNNING)
livestats Collector LiveStats Data Collector (RUNNING)
LmHosts TCP/IP NetBIOS Helper Service (RUNNING)
McShield Network Associates McShield (STOPPED)
McTaskManager Network Associates Task Manager (RUNNING)
Messenger Messenger (RUNNING)
mnmsrvc NetMeeting Remote Desktop Sharing (STOPPED)
MSDTC Distributed Transaction Coordinator (RUNNING)
MSFTPSVC FTP Publishing Service (RUNNING)
MSIServer Windows Installer (STOPPED)
MSSEARCH Microsoft Search (RUNNING)
MSSQLSERVER MSSQLSERVER (RUNNING)
MSSQLServerADHelper MSSQLServerADHelper (STOPPED)
mysql mysql (RUNNING)
NetDDE Network DDE (STOPPED)
NetDDEdsdm Network DDE DSDM (STOPPED)
Netlogon Net Logon (STOPPED)
Netman Network Connections (STOPPED)
NtFrs File Replication (STOPPED)
NtLmSsp NT LM Security Support Provider (RUNNING)
NtmsSvc Removable Storage (RUNNING)
PlugPlay Plug and Play (RUNNING)
PolicyAgent IPSEC Policy Agent (RUNNING)
POP3D32 IMail POP3 Server (RUNNING)
ProtectedStorage Protected Storage (RUNNING)
PSERVE IMail PWD Server (STOPPED)
RasAuto Remote Access Auto Connection Manager (STOPPED)
RasMan Remote Access Connection Manager (RUNNING)
RemoteAccess Routing and Remote Access (STOPPED)
RemoteRegistry Remote Registry Service (RUNNING)
RpcLocator Remote Procedure Call (RPC) Locator (STOPPED)
RpcSs Remote Procedure Call (RPC) (RUNNING)
RSVP QoS RSVP (STOPPED)
SamSs Security Accounts Manager (RUNNING)
SCardDrv Smart Card Helper (STOPPED)
SCardSvr Smart Card (STOPPED)
Schedule Task Scheduler (RUNNING)
seclogon RunAs Service (RUNNING)
SENS System Event Notification (RUNNING)
SharedAccess Internet Connection Sharing (STOPPED)
SMTPD32 IMail SMTP Server (RUNNING)
SMTPSVC Simple Mail Transport Protocol (SMTP) (STOPPED)
Spooler Print Spooler (RUNNING)
SPTimer SharePoint Timer Service (RUNNING)
SQLSERVERAGENT SQLSERVERAGENT (RUNNING)
SYSLOGD IMail Sys Logger Service (STOPPED)
SysmonLog Performance Logs and Alerts (STOPPED)
TapiSrv Telephony (RUNNING)
TermService Terminal Services (RUNNING)
TlntSvr Telnet (STOPPED)
TrkSvr Distributed Link Tracking Server (STOPPED)
TrkWks Distributed Link Tracking Client (RUNNING)
UPS Uninterruptible Power Supply (STOPPED)
UtilMan Utility Manager (STOPPED)
W32Time Windows Time (STOPPED)
W3SVC World Wide Web Publishing Service (RUNNING)
WHOISD32 IMail WHOIS Server (STOPPED)
WinMgmt Windows Management Instrumentation (RUNNING)
Wmi Windows Management Instrumentation Driver Extensions(RUNNING)
wuauserv Automatic Updates (RUNNING)
WZCSVC Wireless Configuration (STOPPED)

does anyone spot a suspicous item here? It's a webserver, so there a quite a lot listed.

For those of you who are not having success with the exploit, it's probably your router or firewall blocking the revcon shell.

Damn LAMERS!
How someone can resist replyin only to flame you?!
Respect the work that someone has done!U might be the next who will get rehacked.Would you like that?

i personally think rehacking is fair game. i have already secured all my ftps, by swapping to a non-public ftp server that i compiled myself.

this exploit has been around for a long time now (at least in public as dos), so if you are too lazy to update your ftps, then dont be surprised if you lose them.

[edit] you might as well have said, how would you like it if your webserver got hacked - that would be worse to me, than losing a stro i was too lazy to keep secure.

lol, we are the ppl who STEAL innocent users bandwidth and diskspace because they are not security conscious enough to install updates to windows and programs.

so suddenly hackers / skiddies having a morality attack about ppl stealing their stolen bandwidth is laughable.

this is like you steal a car, and then i steal that car from you. the victim here is the poor person who lost his car initially.

and going back to point one. the ppl who get hacked are those who are not security wise enough to update software....now suddenly that has become you.

if you are too lazy to update your software on your vics, then it's fair play to take them from you... it's no different to me hacking a innocent security unaware pc user.

true. ive only ever used hackerdefender, which can't hide them from remote progs like dameware etc.

which rootkits manage to hide them remotely as well?

how about using fport to trace the servu and then download the .ini file and u've got urself the location of his files...

nice idea, but it wont work, since the exploit crashes serv-u

Steffan (filtered) off this is nothing like that you litte kid
"31337 H4cK3rZ" lol you one of thoose badass hax0x0x0x0x0x0x0rzzzzZ??
This is a secrurity forum and no (filtered) hax0r0z0rxs0r playground

Anyway, enough with flaming from me. With this sploit you need a upload acount and know the actuall dir of the homedir, no?

i find the scared anti-rehacking comments very amusing. Suppose I am scanning for exploitable webservers, when I find one, I see it's someone elses stro.

Do i move on and think about these so called "1337 rulez" you keep referring to lol... no i remove the crap that's been installed, and secure the hole the last person didnt bother patch.

Siliconised - If your serv-u ftps vics get "stolen", then you only have yourself to blame.

Im certainly not going to be worried about a bunch of skiddies wanting revenge for me nicking their ftp.

IMO any box is fair game, whether or not it's been hacked before is irrelevent.

so what about that rootkit did you find it ?

there was a post about hiding files in a different ntfs stream maybe it was done on your server ?


if ya want my oppignion everyone hacking servers should go to jail.
We are here to discuss these things to prevent them to happen to our servers !

Dont forget that Please.

for the exploit to work, you simply need a vaild account on the ftp.

Gotisch, it is obvious that different ppl are here for different reasons. But the thing we all have in common is an interest in IT security, and we all want to learn more about it.

Let's not discuss our personal motivations, and keep to topic, instead of flaming each other.

And no I havent found the rootkit yet... im going to have to take a closer look...

tibbar did you check that ntfs thing ?

so, tibbar, pls dont ignore my post

What are you using to give you a service list? I find pstools somtimes finds "hidden" services, but if it's a good rootkit then it'll be hard to spot becuase the the actuall dll calls will be monitored and changed before it gets to the screen. Checkout www.rootkit.com for some utils to help.

The ntfs streaming is pretty cool but it does show up on the windows task list and pslist. If they've streamed the servu service in behind notepad.exe you'll see notepad.exe:servu.exe running. There's a program called lad.exe that will scan a folder for streamed files http://www.heysoft.de/nt/lads.zip which might be how the files are being hidden.

On the rehacking. imho is fair game, if they can't secure the box after hacking it then their probably script kiddies who know nothing more than how to use core impact or retina and they don't deserve it anyway

Thom, i dont THINK you need to know the home dir, seeming as most accounts i've seen have rwx access to most dirs, and some ftps drop you into the homedir. And as for upload, im not sure.. I'd have to study the exploit and i just dont have the time.. :\, anyway, hows that installation coming?

ah man havnt had time to (filtered) around with it yet just came back to my mums place is where the comp is and I got a test coming up