Government Security
Network Security Resources

Jump to content

Photo

Hacker Defender Recompiled

- - - - - security php rootkit backdoor
  • This topic is locked This topic is locked
102 replies to this topic

#16 GhostCow

GhostCow

    Staff Sergeant

  • Members
  • 345 posts

Posted 30 January 2004 - 03:44 AM

sweet, this baby rocks!
complements to the authors and everyone involved

#17 Thom

Thom

    Staff Sergeant

  • Members
  • 308 posts

Posted 30 January 2004 - 05:00 AM

Very good work, I just got one problem;

[Hidden Ports]
TCP:2125,6667
UDP:2125,6667

looks good eh?

Started the service and I launched a netcat shell on it, typed netstat and I get
TCP ssbm124:2350 ***:2125 ESTABLISHED

any ideas?

#18 Fletcher

Fletcher

    Private First Class

  • Members
  • 53 posts

Posted 30 January 2004 - 05:13 AM

wow great work :huh:
thanks a lot :rolleyes:

#19 AlessandroIT

AlessandroIT

    Private First Class

  • Members
  • 48 posts

Posted 30 January 2004 - 05:14 AM

Try To Hidden Port 2350 too :D

#20 Thom

Thom

    Staff Sergeant

  • Members
  • 308 posts

Posted 30 January 2004 - 06:13 AM

meh, didnt work

#21 jimmy

jimmy

    Specialist

  • Members
  • 135 posts

Posted 30 January 2004 - 06:52 AM

Thom , I just tested it. The ports hide function works properly.
I hope you don't have a netcat shell with root privileges or started from the backdoor shell, which also has root privileges than

#22 Guest_Torment_*

Guest_Torment_*
  • Guests

Posted 30 January 2004 - 10:13 AM

Well is not complete invisible my AV detected it :D, btw is the F-Secure.

#23 mech

mech

    Private

  • Members
  • 12 posts

Posted 30 January 2004 - 10:30 AM

Thanks for the app mate. It isn't detected by Kaspersky AV. Well done and thatnks a bunch.

#24 MxMx

MxMx

    Staff Sergeant

  • Members
  • 329 posts

Posted 30 January 2004 - 11:06 AM

if your AV detects it .. just use morphine or upxmodified .. i think the only problem is that morphine doesnt encrypt your hxdefdriver.dll :P which the program creates at the startup

#25 jimmy

jimmy

    Specialist

  • Members
  • 135 posts

Posted 30 January 2004 - 11:17 AM

MxMx you cleary don't know what you're talking about
first of al it's the system driver which gets detected. Which is truly annoying.
Second of all some AV detect morphine, and complain about it. So plz first check stuff out before giving such lame comments. I even said it in the readme. I didn't UPX or anything cause some AV detect and complain ...

#26 phaeton

phaeton

    Specialist

  • Members
  • 137 posts

Posted 30 January 2004 - 12:38 PM

jimmy take it easy dude :blink: he just said what anyone might say if something is detected. you dont need to shoot him down.

if its detected on any av someone could tell you that you "clearly dont know what you are doing" if you release it and its detected.

just simmer down, he tried to help and that never hurts.

#27 AlessandroIT

AlessandroIT

    Private First Class

  • Members
  • 48 posts

Posted 30 January 2004 - 02:24 PM

Well it works good...So Sm1 Can explain me How To use backdoor? I tried to put in ini file that "BackdoorShell=client.exe"
Then tried to connect to localhost on port 80...But it don't work..
Sm1 can help me? :D

#28 jimmy

jimmy

    Specialist

  • Members
  • 135 posts

Posted 30 January 2004 - 02:38 PM

you need to connect with client.exe to the box
that's all
just open the client.exe at home. and don't change the ini for that part

#29 phaeton

phaeton

    Specialist

  • Members
  • 137 posts

Posted 30 January 2004 - 03:33 PM

Also make sure your backdoor shell is part of the root processes so that is has some meaning over a regular nc shell =D

#30 Guest_clubfed_*

Guest_clubfed_*
  • Guests

Posted 31 January 2004 - 04:37 AM

Very good work, I just got one problem;

[Hidden Ports]
TCP:2125,6667
UDP:2125,6667

looks good eh?

Started the service and I launched a netcat shell on it, typed netstat and I get
TCP ssbm124:2350 ***:2125 ESTABLISHED

any ideas?

Thom I had the same problem - hxdef doesn't filter REMOTE ports, just local. which is lame as hell, because I had told them about the problem over a year ago. I switched away from hxdef since around version 073 because i was fet up with not being able to cover netstat output and ended up writing my own (based on another rootkit, so a lot of ripped code, but who cares it was just for me never released)





Also tagged with one or more of these keywords: security, php, rootkit, backdoor