Congrats!
You got rootkit.

Rootkit itself does not exploit some vulnerability. Its sole purpose is to
be stealth on the system and to provide backdoor for remote control. Your
attacker obviously exploited some vulnerability on your server, escalated
privileges and installed rootkit. Which vulnerability is it is up to you to
find out. Do you patch regularly? Do you host web apps?

The problem is that you should investigate other servers and workstations in
your network. And I don't think that antivirus (I hope you have one) will
find rootkits if rootkits are running.

Run standard antirootkit tools on all of your servers and workstations (if
that's possible). Also monitor and analyze your network traffic for few
days.

Try with following tools (use google to find them):
Blacklight
Icesword
Rootkit Revealer
Strider
RAIDE - Rootkit Analysis Identification Elimination
RKDetector
System Virginity Verifier
...
[there are more just google]

And run more than one antirootkit tool per system.

Hope this helps,
GoranP

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of tm (at) dfif (dot) dk [email concealed]
Sent: Saturday, October 14, 2006 1:04 PM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Hacker Defender v0.84-1.0.0 backdoor -wath Vulnerabiliti it uses to
get in

I have had this one in one one of my servers
Hacker Defender v0.84-1.0.0 backdoor

is there anyone that know witch Vulnerabiliti it uses to get in ?

I do belive that my system is protected now - but it would bee nice to know
what "hole" it was using to get in - in the first place

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---

[ reply ]