RE: NKADM rootkit - Something new?
From: Ferruh Mavituna (ferruh_at_mavituna.com)
Date: 05/26/04
- Previous message: Brian Eckman: "Re: NKADM rootkit - Something new?"
- In reply to: Jeremy Pollack: "NKADM rootkit - Something new?"
- Next in thread: caldcv_at_students.fccj.org: "Re: NKADM rootkit - Something new?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <jpollack@bigfoot.com>, <incidents@securityfocus.com> Date: Wed, 26 May 2004 17:54:40 +0300
It must be our old friend Hacker Defender (http://hxdef.czweb.org/), Also
you can compare binary files checksums with current versions.
Also this is another clue for hacker defender,
> DriverName=nkadmhxdefdrv100
Of course it's possible that someone modify it or another new rootkit
pretend to be Hacker Defender.
Ferruh.Mavituna
http://ferruh.mavituna.com
PGPKey : http://ferruh.mavituna.com/PGPKey.asc
> -----Original Message-----
> From: Jeremy Pollack [mailto:jpollack2@cox.net]
> Sent: Wednesday, May 26, 2004 1:06 AM
> To: incidents@securityfocus.com
> Subject: NKADM rootkit - Something new?
>
> Has anyone seen this NKADM rootkit? Four of the servers here were
> exploited at some point in the past 30 days and have been running this
> combination rootkit+ftp server. My searches have not hit anything. I
> definitely do not have a full picture of the whole thing yet, but what I
> do know is:
>
> - Environment
> - University with wide-open network and no firewalls (stop shuddering!).
> Windows 2000 and Windows 2003 servers. Some of the 2003 boxes are part of
> our new 2003 AD, the other 2000 boxes are part of our old NT4 domain.
> - Boxes have had all MS patches w/in 2 days of release, generally
> patched the same day.
>
> - The app very effectively hides itself. There is an executable called
> NKADM.exe and an NKADM.ini A paste of a sample NKADM.ini is below. As you
> can see from it, it hides registry keys, ports, files, services and
> processes from user view, including local administrator. In fact, when I
> changed the one visible service to log on as a user, it wouldn't even see
> it as even NKADM.exe is hidden from the user.
>
> - The FTP servers data files were in the x:\System Volume Information
> folders. In folders called nkadmfiles and/or nkadmarch Two of the boxes
> had 20Gb of data. Anyone want some German Ska... Anyways, I'm guessing
> this is a fairly common place to put data on a compromised machine?
>
> - Lavasoft's Alternate Data Stream detection tool finds Alternate Data
> Streams in the folders where the hacks are hidden from the NKADM.exe file.
> The other ADS detection tools I attempted did not locate anything. At
> first I was thinking that everything was there, but it looks like it
> isn't, unless NKADM.exe actually moves files/folders there upon execution.
> I'm not sure what may be there, though.
>
> - There are two FTP servers running. A Serv-u instance which is running
> the warez FTP server and a SlimFTP instance which is the
> management/hacking FTp server which full access to the C:\ drive
>
> - Symantec AV stares at the files and shrugs. Once I got them showing up
> in the system (by clearing the NKADM.ini files) I copied them off and
> showed them to Symantec AV. It scanned them all and didn't find anything.
> I've sent them to our University security officer who will be sent them to
> Symantec. Still waiting to hear what they have to say.
>
>
> I'm sorry if this is an information overload. At this point my server
> person is probably going to be rebuilding the systems, at least half of
> them were not in production yet anyways, but it is a combination of trying
> to figure out how to prevent it from happening again and extreme
> curiousity about how it happened and just what this whole kit/package can
> and is doing. The fact that I found nothing in my searching just furthered
> the curiosity!
>
> Thank you in advance to anyone who has any feedback/input. And thanks
> retroactively to everyone who has posted stuff of interest in the past
> while I lurked. :)
>
> Sincerely,
> Jeremy Pollack
> Client Support Specialist
> University of Connecticut, School of Business
>
> +++++++++++++++++++++++
> NKADM.INI
>
> [Hidden Table]
> nkadm*
> slimftpd.conf
> slimftpd.log
>
> [Root Processes]
> nkadm*
> ioA.exe
> ioGroups.exe
> ioLimitTransfers.exe
> ioUptime.exe
> ioZS.exe
> ioNewDay.exe
> SiteWho.exe
>
> [Hidden Services]
> nkserv*
> nkadm*
>
> [Hidden RegKeys]
> nkadm*
> NKADM*
> LEGACY_NKADM*
>
> [Hidden RegValues]
>
> [Startup Run]
>
> [Free Space]
>
> [Hidden Ports]
> TCP:4420,4421,4422,4423,4424,4425,4426,4427,4428,4429,7117,7116,20200,2020
> 1,20202,20203,20204,20205,20206,20207,20208,20209,20210,20211,20212,20213,
> 20214,20215,20216,20217,20218,20219,20220
>
> [Settings]
> Password=pr3ssF1
> BackdoorShell=nkadmß$.exe
> FileMappingName=nkfolderrun
> ServiceName=nkadmhxdef100
> Se|rviceDisplayName=Backup Service
> ServiceDescription=Makes the Cow go M00
> DriverName=nkadmhxdefdrv100
> DriverFileName=nkadmdriver.sys
>
>
> ++++++++++++++++++++++++
> FIle listing from one variant:
>
> dir.txt
> nkadm.exe
> nkadm.ini
> nkadmcyt.exe
> nkadmdelmin.bat
> nkadmdriver.sys
> nkadmelmin.bat
> nkadmservu.dir
> nkadmservu.exe
> nkadmservu.ini
> nkadmservu.ini.3
> nkadmservu.log
> nkadmservu.on
> nkadmslimftpd.exe
> nkadmsvcrun.exe
> slimftpd.conf
> slimftpd.log
>
>
>
>
> +++++++++++++++++++++++++++++++++
> File list from Variant 2
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cygcrypto-0.9.7.dll
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cygssl-0.9.7.dll
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cygwin1.dll
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cygz.dll
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\dZSbot.timestamp
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\eggdrop.conf
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\etc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\files.txt
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\groups
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\ioservice.ini
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\language
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\logs
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\modules
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\nkadmiosrv.exe
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\nkadmwindrop.exe
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\resolv.conf
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\sitebot.chan
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\sitebot.chan~bak
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\sitebot.user
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\sitebot.user~bak
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\system
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\tcl84.dll
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\tclpip84.dll
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\tmp
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\0
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\1
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\10
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\100
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\101
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\102
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\103
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\104
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\11
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\12
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\13
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\14
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\15
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\16
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\17
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\18
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\19
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\2
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\20
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\21
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\22
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\23
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\24
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\25
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\26
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\27
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\28
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\29
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\3
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\30
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\31
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\32
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\33
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\34
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\35
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\36
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\37
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\38
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\39
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\4
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\40
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\41
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\42
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\43
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\44
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\45
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\46
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\47
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\48
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\49
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\5
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\50
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\51
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\52
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\53
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\54
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\55
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\56
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\57
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\58
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\59
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\6
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\60
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\61
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\62
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\63
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\64
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\65
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\66
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\67
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\68
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\69
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\7
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\70
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\71
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\72
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\73
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\74
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\75
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\76
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\77
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\78
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\79
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\8
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\80
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\81
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\82
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\83
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\84
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\85
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\86
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\87
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\88
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\89
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\9
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\90
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\91
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\92
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\93
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\94
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\95
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\96
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\97
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\98
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\99
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\etc\admin.vfs
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\etc\default.vfs
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\etc\GroupIdTable
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\etc\Hosts.Rules
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\etc\ioftpd.env
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\etc\speed.vfs
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\etc\symcheck.vfs
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\etc\UserIdTable
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\groups\1
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\groups\101
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\groups\102
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\groups\103
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\groups\104
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\groups\105
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\groups\106
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\groups\Default.Group
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\assoc.help
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\chaninfo.help
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\channels.help
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\cmds1.help
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\cmds2.help
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\cmd_resolve.help
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\console.help
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\Cookies.docs
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\core.help
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\help.db
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\help.msg
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\irc.help
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\msg
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\server.help
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\set
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\share.help
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\userinfo.help
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\msg\irc.help
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\msg\userinfo.help
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\set\channels.help
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\set\cmds1.help
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\set\compress.help
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\set\console.help
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\set\ctcp.help
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\set\irc.help
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\set\server.help
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\set\transfer.help
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\language\assoc.english.lang
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\language\console.english.lang
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\language\core.english.lang
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\language\transfer.english.lang
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\dde1.2
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\reg1.1
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\dde1.2\pkgIndex.tcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\dde1.2\tcldde12.dll
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\reg1.1\pkgIndex.tcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\reg1.1\tclreg11.dll
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\auto.tcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\history.tcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\http1.0
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\http2.4
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\init.tcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\ldAout.tcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\msgcat1.3
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\opt0.4
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\package.tcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\parray.tcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\safe.tcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\tclIndex
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\tcltest2.2
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\word.tcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\ascii.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\big5.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp1250.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp1251.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp1252.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp1253.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp1254.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp1255.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp1256.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp1257.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp1258.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp437.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp737.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp775.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp850.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp852.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp855.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp857.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp860.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp861.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp862.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp863.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp864.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp865.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp866.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp869.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp874.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp932.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp936.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp949.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp950.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\dingbats.en
> c
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\ebcdic.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\euc-cn.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\euc-jp.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\euc-kr.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\gb12345.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\gb1988.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\gb2312.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso2022-
> jp.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso2022-
> kr.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso2022.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso8859-
> 1.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso8859-
> 10.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso8859-
> 13.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso8859-
> 14.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso8859-
> 15.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso8859-
> 16.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso8859-
> 2.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso8859-
> 3.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso8859-
> 4.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso8859-
> 5.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso8859-
> 6.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso8859-
> 7.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso8859-
> 8.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso8859-
> 9.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\jis0201.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\jis0208.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\jis0212.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\koi8-r.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\koi8-u.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\ksc5601.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\macCentEuro
> .enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\macCroatian
> .enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\macCyrillic
> .enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\macDingbats
> .enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\macGreek.en
> c
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\macIceland.
> enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\macJapan.en
> c
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\macRoman.en
> c
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\macRomania.
> enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\macThai.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\macTurkish.
> enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\macUkraine.
> enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\shiftjis.en
> c
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\symbol.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\tis-620.enc
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\http1.0\http.tcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\http1.0\pkgIndex.tcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\http2.4\http.tcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\http2.4\pkgIndex.tcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\msgcat1.3\msgcat.tcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\msgcat1.3\pkgIndex.t
> cl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\opt0.4\optparse.tcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\opt0.4\pkgIndex.tcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\tcltest2.2\pkgIndex.
> tcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\tcltest2.2\tcltest.t
> cl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\logs\Error.log
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\logs\ioFTPD.log
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\logs\nfos.log
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\logs\SysOp.log
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\logs\SystemError.log
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\logs\xferlog
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\modules\assoc.dll
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\modules\blowfish.dll
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\modules\channels.dll
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\modules\compress.dll
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\modules\console.dll
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\modules\ctcp.dll
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\modules\irc.dll
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\modules\server.dll
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\modules\share.dll
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\modules\transfer.dll
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\action.fix.tcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\bin
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\bquota
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\BQuota.tcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\btrial
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\BTrial.tcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\dZSbot.help
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\dZSbot.tcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\imdb.tcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\init.itcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\ioA
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\ioLATESTDIR.itcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iolimittransfers
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\ioSYMCHECK.itcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iouptime
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iozs
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\nfourl.itcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\Who
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\bin\bnctest.exe
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\bin\curl.exe
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\bin\find.exe
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\bin\ioDiskSpace.exe
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\bin\ioPasswd.exe
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\bquota\BQuotaScheduler.
> itcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\bquota\OnPreSite.itcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\bquota\OnSiteQuota.itcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\btrial\BTrialCore.itcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\btrial\OnPostSite.itcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\btrial\OnPreSite.itcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\btrial\TrialIdTable
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\ioA\ioA.cfg
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\ioA\ioA.exe
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\ioA\ioA.nuke.log
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\ioA\ioA.nuke.message.ms
> g
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\ioA\ioA.unnuke.log
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\ioA\ioA.unnuke.message.
> msg
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\ioA\ioA.wipe.log
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\ioA\ioaCommands.log
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\ioGroups.exe
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\ioGroups.ini
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\group
> stats.body.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\group
> stats.foot.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\group
> stats.head.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\group
> users.body.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\group
> users.foot.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\group
> users.head.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\listg
> roups.body.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\listg
> roups.foot.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\listg
> roups.head.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\listu
> sers.body.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\listu
> sers.foot.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\listu
> sers.head.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\sites
> tats.body.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\useri
> nfo.body.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\userr
> anking.body.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\users
> tats.body.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\users
> tats.foot.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\users
> tats.head.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iolimittransfers\ioLimi
> tTransfers.exe
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iolimittransfers\ioLimi
> tTransfers.ini
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iouptime\ioUptime.exe
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iouptime\ioUptime.ini
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iozs\ioNewDay.exe
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iozs\iozip.dll
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iozs\ioZS.exe
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iozs\ioZS.ini
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iozs\ioZSCleanup.exe
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iozs\msvcr71.dll
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\SiteWho.exe
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\sitewho.ini
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbo
> t
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_limit
> ed
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin
> \bot.speed.body.download.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin
> \bot.speed.body.idle.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin
> \bot.speed.body.upload.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin
> \bot.speed.foot.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin
> \bot.speed.not.online.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin
> \bot.totalbw.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin
> \downloaders.body.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin
> \downloaders.foot.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin
> \downloaders.head.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin
> \downloaders.nobody.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin
> \idlers.body.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin
> \idlers.foot.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin
> \idlers.head.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin
> \idlers.nobody.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin
> \onlineuser.body.download.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin
> \onlineuser.body.idle.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin
> \onlineuser.body.upload.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin
> \onlineuser.foot.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin
> \onlineuser.head.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin
> \onlineuser.nobody.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin
> \uploaders.body.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin
> \uploaders.foot.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin
> \uploaders.head.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin
> \uploaders.nobody.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbo
> t\bot.speed.body.download.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbo
> t\bot.speed.body.idle.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbo
> t\bot.speed.body.upload.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbo
> t\bot.speed.foot.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbo
> t\bot.speed.not.online.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbo
> t\bot.totalbw.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbo
> t\downloaders.body.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbo
> t\downloaders.foot.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbo
> t\downloaders.head.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbo
> t\downloaders.nobody.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbo
> t\idlers.body.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbo
> t\idlers.foot.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbo
> t\idlers.head.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbo
> t\idlers.nobody.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbo
> t\onlineuser.body.download.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbo
> t\onlineuser.body.idle.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbo
> t\onlineuser.body.upload.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbo
> t\onlineuser.foot.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbo
> t\onlineuser.head.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbo
> t\onlineuser.nobody.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbo
> t\uploaders.body.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbo
> t\uploaders.foot.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbo
> t\uploaders.head.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbo
> t\uploaders.nobody.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_limit
> ed\onlineuser.body.download.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_limit
> ed\onlineuser.body.idle.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_limit
> ed\onlineuser.body.upload.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_limit
> ed\onlineuser.foot.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_limit
> ed\onlineuser.head.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_limit
> ed\onlineuser.nobody.nfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\Who\swho.itcl
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\system\ioFTPD.ini
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\system\nkadmioftpd.exe
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\system\php4ts.dll
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\system\tcl84.dll
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\banner
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\motd
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\AllDn.Body
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\AllDn.Footer
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\AllDn.Header
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\AllUp.Body
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\AllUp.Footer
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\AllUp.Header
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\ClientInfo.Download
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\ClientInfo.Idle
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\ClientInfo.Login
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\ClientInfo.Upload
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\ClientList.Download
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\ClientList.Header
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\ClientList.Idle
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\ClientList.Login
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\ClientList.Upload
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\DayDn.Body
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\DayDn.Footer
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\DayDn.Header
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\DayUp.Body
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\DayUp.Footer
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\DayUp.Header
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\GroupInfo.Body
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\GroupInfo.Header
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\GroupList.Body
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\GroupList.Header
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\LogIn
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\LogOut
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\MonthDn.Body
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\MonthDn.Footer
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\MonthDn.Header
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\MonthUp.Body
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\MonthUp.Footer
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\MonthUp.Header
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\TransferComplete
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\UserInfo
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\UserList.Body
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\UserList.Header
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\Welcome
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\WkDn.Body
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\WkDn.Footer
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\WkDn.Header
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\WkUp.Body
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\WkUp.Footer
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\WkUp.Header
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\10
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\11
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\12
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\13
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\14
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\15
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\16
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\17
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\18
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\19
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\20
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\21
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\22
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\23
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\25
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\26
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\27
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\28
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\29
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\30
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\7
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\8
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\9
> D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\Default.User
>
- Previous message: Brian Eckman: "Re: NKADM rootkit - Something new?"
- In reply to: Jeremy Pollack: "NKADM rootkit - Something new?"
- Next in thread: caldcv_at_students.fccj.org: "Re: NKADM rootkit - Something new?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
