Government Security
Network Security Resources

Jump to content

Photo

Hacker Defender Recompiled

- - - - - security php rootkit backdoor
  • This topic is locked This topic is locked
102 replies to this topic

#61 jimmy

jimmy

    Specialist

  • Members
  • 135 posts

Posted 21 March 2004 - 10:48 PM

BIG LOL @ net

something is slightly wrong with the modification. that's why the backdoor won't work.


First test it before you give such reply's, cause it works perfectly !

than second, at first no AV detected it. I already found out from panda and fixed it.
Though I'll not post this version.
I didn't test my changes yet on KAV.

#62 Guest_tookie_*

Guest_tookie_*
  • Guests

Posted 22 March 2004 - 08:41 AM

big thnx 2 jimmy & holy_father :D
thnx 4 sweet tool ;)

#63 shii

shii

    Private First Class

  • Members
  • 86 posts

Posted 30 March 2004 - 01:27 PM

nice job guy bu it's Mc Afee/KAV detected easily :(



anyway thanx for your contribution

#64 Guest_clubfed_*

Guest_clubfed_*
  • Guests

Posted 30 March 2004 - 02:04 PM

Very good work, I just got one problem;

[Hidden Ports]
TCP:2125,6667
UDP:2125,6667

looks good eh?

Started the service and I launched a netcat shell on it, typed netstat and I get
TCP    ssbm124:2350          ***:2125          ESTABLISHED

any ideas?

Thom I had the same problem - hxdef doesn't filter REMOTE ports, just local. which is lame as hell, because I had told them about the problem over a year ago. I switched away from hxdef since around version 073 because i was fet up with not being able to cover netstat output and ended up writing my own (based on another rootkit, so a lot of ripped code, but who cares it was just for me never released)

yea i fixed that in my recompiled version... also made it hide port ranges. remote ports are edi+ecx+8 and local edi+ecx. And i think you're a lying sack of shit also, cause holy_father has always responded to me within a day

heh I don't know why I missed this post, I just saw it. dude no i'm not lying, hf totally fxcking blew me off. I wrote him many times and I was on the private beta testers forum for awhile.

thanks for the pointers, but i'm using other rootkits until the crash bugs are fixed in the hxdef codebase. I don't have time to go through fixing such a giant mess. (just in case some idiot reqponds saying there are no bugs, try it on a few different os, different win2000 sp levels etc and right click on icons etc and watch general (filtered)ness of explorer after its injected, and you'll understand -- but don't mouth off how perfect it is until you've tried it on multiple platforms please thanks!!)

#65 MHSICKNESS

MHSICKNESS

    Private First Class

  • Members
  • 33 posts

Posted 30 March 2004 - 05:29 PM

something is slightly wrong with the modification. that's why the backdoor won't work.


First test it before you give such reply's, cause it works perfectly !

I tested this rootkit at more then 10 different hacks of mine, the backdoor didnt work a single time.

I open up the client and connect to the ip @ my ftp port (should work on ANY open port it says) im connected it checks for backdoor.. failed.. every single time...

#66 Killaloop

Killaloop

    Sergeant First Class

  • Members
  • 677 posts

Posted 31 March 2004 - 05:52 AM

no the backdoor doesnt work on any port.
what about trying some different ports befor posting anything. its not a difficult.
port 80 mostly works aslong IIS is running. doesn't work when apache is running. worked with old servu port, not when you chose the port where servu 5.x is running. and so on
just try some ports it is not as hard

#67 net

net

    Private First Class

  • Members
  • 51 posts

Posted 31 March 2004 - 06:14 AM

killaloop, jimmy, did you test with EXACTLY THIS version ? or with your own ones ? you'll notice that the backdoor of this one here won't work... tested it 1000 times...

#68 Killaloop

Killaloop

    Sergeant First Class

  • Members
  • 677 posts

Posted 31 March 2004 - 07:37 AM

there are however only a hand of ports where the backdoor will listen.
80, 3372 are the ports I tend to use when open.
It takes some time to find the right port since not all will work.

and nope didn't try jimmys but others did and I think jimmy knows what he is doing.
however if it still doesn't work use the original binary from hf. won't make a difference since both versions are detected by AVs (thx to those of you who mad it possible that AVs could pick up jimmys .. and dont ask him for another version, first learn to use it)

#69 jubbly

jubbly

    Private First Class

  • Members
  • 89 posts

Posted 01 April 2004 - 01:07 AM

very nice work thats a nice tool.

bigup :)

#70 night^man

night^man

    Specialist

  • Members
  • 119 posts

Posted 01 April 2004 - 05:28 AM

thx , cool job , worx gr8 witha AV2004 and AV2003 of norton.
respect! :D

#71 cracken

cracken

    Private

  • Members
  • 17 posts

Posted 09 April 2004 - 08:41 AM

hi,

on your recompiled hxdef port hidding and spacefake dont work if you set it up in the ini the rootkit wont start.. tested under win2k & winxp didnt work

if i leave both entrys clear it works fine..

cya

#72 Imps2

Imps2

    Private First Class

  • Members
  • 56 posts

Posted 10 April 2004 - 01:28 AM

thnx for sharing :D

Greetz Imps2

#73 Kakarott

Kakarott

    Private First Class

  • Members
  • 26 posts

Posted 11 April 2004 - 07:48 AM

thx 4 share dude, good work ;)

#74 jimmy

jimmy

    Specialist

  • Members
  • 135 posts

Posted 12 April 2004 - 03:15 PM

cracken
I guess you make some mistake, I used this version on several boxes in the beginning, all worked fine !
perhaps something to do with spacing/ no new line or something.
always edit ini in notepad , don't change anything of the format etc

than second, people who say hxdef gives problems. I have many ,and when I say many I really mean many, boxes, it works fine on all of them. I heard bout the right clicking, well never had one box with that problem. The "right clicking problem" can occur with wrong/bad edits of the sourcecode. I tested my version on NT4 SP6, 2k SP0 , 2k SP2 , 2k SP3 , 2k SP4 , XP SP 0 and XP SP 1. Most in english, some where different languages. It all went fine on every box.
The backdoor can be more difficult, but port 80 on iis always works fine. port from my ftpd also most of the time, port 3372 and port 25 from some mail daemons also works fine

And once again, if your av detects it, it's normal, this version is detected by Mc Afee, KAV and Panda (as I tested) Norton is blind and still doesn't detect it.
I updated my own version and tested by Mc afee, norton, panda and KAV, not detected. Won't post this version or perhaps av's will detect it again

#75 x1`

x1`

    Staff Sergeant

  • Members
  • 412 posts

Posted 13 April 2004 - 05:24 AM

when i connect to the server my client cmd box just closes
also is the default port 1337?





Also tagged with one or more of these keywords: security, php, rootkit, backdoor