[tibbar]

well i know its lame, but i needed an ftp to test the exploit on, so why not pick a hacked 100mbit from someone I dislike...

The exploit works perfectly, gives you remote cmd.exe (remember to run it from a remote box, which has open incoming ports).

Now, I was quite surprised to find that the ftp has been so well hidden, that from a remote shell working through hxdef, I couldnt find the servu installation.

Eventually after using a file searching tool, i discovered some of the serv-u files, but what really surprised me, was that the UP and DOWN folders were apparently empty, yet the ftp was serving about 20gb of files.

I know hxdef wouldnt hide this from a remote shell, so what rootkit could this be??

Anyway, the exploit works frighteningly well, so im changing all my ftps to another less well known server.

Dont bother replying if only to flame me for rehacking.

The thread here is about what varieties of rootkit can hide files from remote shells and dameware (and how to remove them).

[cranky]

no flame here, if someone has weak enough passes or doesnt keep on top of things they're fair game.

there are a number of private rootkits, track that one down and post it :P

and what exploit did you use? the one by lion just crashes shit and the other one hasnt been ported to win32 yet.

[stonebreaker]

i have post a win32 exploit code
but i think it is for chinese edition only
so if you want use you should change the offset

[linuxwolf]

thanks for that stonebreaker, and cranky, you couldn't be righter.
We are the hunters. Fair game is plentyful. :D

[R0x0r]

No flame here either.. Thats how the game is being played

[tibbar]

i used the servu exploit code posted on this website, it defnitely works (the one you need to compile using gcc).

i think there is a good opportunity to steal a lot of ftps in next few weeks, as most ppl are unaware of the severity of the exploit.

oh and in my search for the rootkit on this box, here's the service list:

Service Name Display Name Status
----------------------------------------------------------------------------
alerter alerter (RUNNING)
alertManager Network Associates alert Manager (RUNNING)
AppMgmt Application Management (STOPPED)
AspQmail AspQmail (RUNNING)
BITS Background Intelligent Transfer Service(RUNNING)
Browser Computer Browser (RUNNING)
cisvc Indexing Service (STOPPED)
ClipSrv ClipBook (STOPPED)
Dfs Distributed File System (RUNNING)
Dhcp DHCP Client (STOPPED)
dmadmin Logical Disk Manager Administrative Service(STOPPED)
dmserver Logical Disk Manager (RUNNING)
Dnscache DNS Client (RUNNING)
DWMRCS DameWare Mini Remote Control (STOPPED)
Eventlog Event Log (RUNNING)
EventSystem COM+ Event System (RUNNING)
Fax Fax Service (STOPPED)
FINGRD32 IMail FINGER Server (STOPPED)
IISADMIN IIS Admin Service (RUNNING)
ILDAP IMail LDAP Server (STOPPED)
IMAP4D32 IMail IMAP4 Server (STOPPED)
IMonitor IMail Monitor Service (STOPPED)
IsmServ Intersite Messaging (STOPPED)
IWebCal IMail Web Calendar Service (STOPPED)
IWEBMSG IMail Web Service (RUNNING)
kdc Kerberos Key Distribution Center (STOPPED)
lanmanserver Server (RUNNING)
lanmanworkstation Workstation (RUNNING)
LicenseService License Logging Service (STOPPED)
LiveStats LiveStats Reporting Server (RUNNING)
livestats Collector LiveStats Data Collector (RUNNING)
LmHosts TCP/IP NetBIOS Helper Service (RUNNING)
McShield Network Associates McShield (STOPPED)
McTaskManager Network Associates Task Manager (RUNNING)
Messenger Messenger (RUNNING)
mnmsrvc NetMeeting Remote Desktop Sharing (STOPPED)
MSDTC Distributed Transaction Coordinator (RUNNING)
MSFTPSVC FTP Publishing Service (RUNNING)
MSIServer Windows Installer (STOPPED)
MSSEARCH Microsoft Search (RUNNING)
MSSQLSERVER MSSQLSERVER (RUNNING)
MSSQLServerADHelper MSSQLServerADHelper (STOPPED)
mysql mysql (RUNNING)
NetDDE Network DDE (STOPPED)
NetDDEdsdm Network DDE DSDM (STOPPED)
Netlogon Net Logon (STOPPED)
Netman Network Connections (STOPPED)
NtFrs File Replication (STOPPED)
NtLmSsp NT LM Security Support Provider (RUNNING)
NtmsSvc Removable Storage (RUNNING)
PlugPlay Plug and Play (RUNNING)
PolicyAgent IPSEC Policy Agent (RUNNING)
POP3D32 IMail POP3 Server (RUNNING)
ProtectedStorage Protected Storage (RUNNING)
PSERVE IMail PWD Server (STOPPED)
RasAuto Remote Access Auto Connection Manager (STOPPED)
RasMan Remote Access Connection Manager (RUNNING)
RemoteAccess Routing and Remote Access (STOPPED)
RemoteRegistry Remote Registry Service (RUNNING)
RpcLocator Remote Procedure Call (RPC) Locator (STOPPED)
RpcSs Remote Procedure Call (RPC) (RUNNING)
RSVP QoS RSVP (STOPPED)
SamSs Security Accounts Manager (RUNNING)
SCardDrv Smart Card Helper (STOPPED)
SCardSvr Smart Card (STOPPED)
Schedule Task Scheduler (RUNNING)
seclogon RunAs Service (RUNNING)
SENS System Event Notification (RUNNING)
SharedAccess Internet Connection Sharing (STOPPED)
SMTPD32 IMail SMTP Server (RUNNING)
SMTPSVC Simple Mail Transport Protocol (SMTP) (STOPPED)
Spooler Print Spooler (RUNNING)
SPTimer SharePoint Timer Service (RUNNING)
SQLSERVERAGENT SQLSERVERAGENT (RUNNING)
SYSLOGD IMail Sys Logger Service (STOPPED)
SysmonLog Performance Logs and alerts (STOPPED)
TapiSrv Telephony (RUNNING)
TermService Terminal Services (RUNNING)
TlntSvr Telnet (STOPPED)
TrkSvr Distributed Link Tracking Server (STOPPED)
TrkWks Distributed Link Tracking Client (RUNNING)
UPS Uninterruptible Power Supply (STOPPED)
UtilMan Utility Manager (STOPPED)
W32Time Windows Time (STOPPED)
W3SVC World Wide Web Publishing Service (RUNNING)
WHOISD32 IMail WHOIS Server (STOPPED)
WinMgmt Windows Management Instrumentation (RUNNING)
Wmi Windows Management Instrumentation Driver Extensions(RUNNING)
wuauserv Automatic Updates (RUNNING)
WZCSVC Wireless Configuration (STOPPED)

does anyone spot a suspicous item here? It's a webserver, so there a quite a lot listed.

For those of you who are not having success with the exploit, it's probably your router or firewall blocking the revcon shell.

[tibbar]

i personally think rehacking is fair game. i have already secured all my ftps, by swapping to a non-public ftp server that i compiled myself.

this exploit has been around for a long time now (at least in public as dos), so if you are too lazy to update your ftps, then dont be surprised if you lose them.

[edit] you might as well have said, how would you like it if your webserver got hacked - that would be worse to me, than losing a stro i was too lazy to keep secure.

[Steffan]

tibbar, on Mar 1 2004, 09:40 AM, said:

i personally think rehacking is fair game.

No it's NOT ... it's basicaly the same like I steal U car or what ever...
Oh U not secure U car's door to the newest technics so it's U fault... :angry:

Think about !! anyway STROmakerz are all l4m3rz :D

C'ya

[tibbar]

lol, we are the ppl who STEAL innocent users bandwidth and diskspace because they are not security conscious enough to install updates to windows and programs.

so suddenly hackers / skiddies having a morality attack about ppl stealing their stolen bandwidth is laughable.

this is like you steal a car, and then i steal that car from you. the victim here is the poor person who lost his car initially.

and going back to point one. the ppl who get hacked are those who are not security wise enough to update software....now suddenly that has become you.

if you are too lazy to update your software on your vics, then it's fair play to take them from you... it's no different to me hacking a innocent security unaware pc user.

[yeyo]

tibbar, on Mar 1 2004, 08:52 AM, said:

oh and in my search for the rootkit on this box, here's the service list:

Service Name Display Name Status
----------------------------------------------------------------------------
alerter alerter (RUNNING)
alertManager Network Associates alert Manager (RUNNING)

a god rootkit has his service hidde ;)

[tibbar]

true. ive only ever used hackerdefender, which can't hide them from remote progs like dameware etc.

which rootkits manage to hide them remotely as well?

[toost]

how about using fport to trace the servu and then download the .ini file and u've got urself the location of his files...

[tibbar]

nice idea, but it wont work, since the exploit crashes serv-u