Congrats! You got rootkit. Rootkit itself does not exploit some vulnerability. Its sole purpose is to be stealth on the system and to provide backdoor for remote control. Your attacker obviously exploited some vulnerability on your server, escalated privileges and installed rootkit. Which vulnerability is it is up to you to find out. Do you patch regularly? Do you host web apps?
The problem is that you should investigate other servers and workstations in your network. And I don't think that antivirus (I hope you have one) will find rootkits if rootkits are running. Run standard antirootkit tools on all of your servers and workstations (if that's possible). Also monitor and analyze your network traffic for few days. Try with following tools (use google to find them): Blacklight Icesword Rootkit Revealer Strider RAIDE - Rootkit Analysis Identification Elimination RKDetector System Virginity Verifier ... [there are more just google] And run more than one antirootkit tool per system. Hope this helps, GoranP -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, October 14, 2006 1:04 PM To: [email protected] Subject: Hacker Defender v0.84-1.0.0 backdoor -wath Vulnerabiliti it uses to get in I have had this one in one one of my servers Hacker Defender v0.84-1.0.0 backdoor is there anyone that know witch Vulnerabiliti it uses to get in ? I do belive that my system is protected now - but it would bee nice to know what "hole" it was using to get in - in the first place --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
