Security Incidents mailing list archives
NKADM rootkit - Something new?
From: Jeremy Pollack <jpollack2 () cox net>
Date: Tue, 25 May 2004 18:05:32 -0400
Has anyone seen this NKADM rootkit? Four of the servers here were exploited at some point in the past 30 days and have been running this combination rootkit+ftp server. My searches have not hit anything. I definitely do not have a full picture of the whole thing yet, but what I do know is: - Environment - University with wide-open network and no firewalls (stop shuddering!). Windows 2000 and Windows 2003 servers. Some of the 2003 boxes are part of our new 2003 AD, the other 2000 boxes are part of our old NT4 domain. - Boxes have had all MS patches w/in 2 days of release, generally patched the same day. - The app very effectively hides itself. There is an executable called NKADM.exe and an NKADM.ini A paste of a sample NKADM.ini is below. As you can see from it, it hides registry keys, ports, files, services and processes from user view, including local administrator. In fact, when I changed the one visible service to log on as a user, it wouldn't even see it as even NKADM.exe is hidden from the user. - The FTP servers data files were in the x:\System Volume Information folders. In folders called nkadmfiles and/or nkadmarch Two of the boxes had 20Gb of data. Anyone want some German Ska... Anyways, I'm guessing this is a fairly common place to put data on a compromised machine? - Lavasoft's Alternate Data Stream detection tool finds Alternate Data Streams in the folders where the hacks are hidden from the NKADM.exe file. The other ADS detection tools I attempted did not locate anything. At first I was thinking that everything was there, but it looks like it isn't, unless NKADM.exe actually moves files/folders there upon execution. I'm not sure what may be there, though. - There are two FTP servers running. A Serv-u instance which is running the warez FTP server and a SlimFTP instance which is the management/hacking FTp server which full access to the C:\ drive - Symantec AV stares at the files and shrugs. Once I got them showing up in the system (by clearing the NKADM.ini files) I copied them off and showed them to Symantec AV. It scanned them all and didn't find anything. I've sent them to our University security officer who will be sent them to Symantec. Still waiting to hear what they have to say. I'm sorry if this is an information overload. At this point my server person is probably going to be rebuilding the systems, at least half of them were not in production yet anyways, but it is a combination of trying to figure out how to prevent it from happening again and extreme curiousity about how it happened and just what this whole kit/package can and is doing. The fact that I found nothing in my searching just furthered the curiosity! Thank you in advance to anyone who has any feedback/input. And thanks retroactively to everyone who has posted stuff of interest in the past while I lurked. :) Sincerely, Jeremy Pollack Client Support Specialist University of Connecticut, School of Business +++++++++++++++++++++++ NKADM.INI [Hidden Table] nkadm* slimftpd.conf slimftpd.log [Root Processes] nkadm* ioA.exe ioGroups.exe ioLimitTransfers.exe ioUptime.exe ioZS.exe ioNewDay.exe SiteWho.exe [Hidden Services] nkserv* nkadm* [Hidden RegKeys] nkadm* NKADM* LEGACY_NKADM* [Hidden RegValues] [Startup Run] [Free Space] [Hidden Ports] TCP:4420,4421,4422,4423,4424,4425,4426,4427,4428,4429,7117,7116,20200,20201,20202,20203,20204,20205,20206,20207,20208,20209,20210,20211,20212,20213,20214,20215,20216,20217,20218,20219,20220 [Settings] Password=pr3ssF1 BackdoorShell=nkadmß$.exe FileMappingName=nkfolderrun ServiceName=nkadmhxdef100 Se|rviceDisplayName=Backup Service ServiceDescription=Makes the Cow go M00 DriverName=nkadmhxdefdrv100 DriverFileName=nkadmdriver.sys ++++++++++++++++++++++++ FIle listing from one variant: dir.txt nkadm.exe nkadm.ini nkadmcyt.exe nkadmdelmin.bat nkadmdriver.sys nkadmelmin.bat nkadmservu.dir nkadmservu.exe nkadmservu.ini nkadmservu.ini.3 nkadmservu.log nkadmservu.on nkadmslimftpd.exe nkadmsvcrun.exe slimftpd.conf slimftpd.log +++++++++++++++++++++++++++++++++ File list from Variant 2 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cygcrypto-0.9.7.dll D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cygssl-0.9.7.dll D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cygwin1.dll D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cygz.dll D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\dZSbot.timestamp D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\eggdrop.conf D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\etc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\files.txt D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\groups D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\ioservice.ini D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\language D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\logs D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\modules D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\nkadmiosrv.exe D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\nkadmwindrop.exe D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\resolv.conf D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\sitebot.chan D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\sitebot.chan~bak D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\sitebot.user D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\sitebot.user~bak D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\system D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\tcl84.dll D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\tclpip84.dll D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\tmp D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\0 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\1 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\10 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\100 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\101 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\102 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\103 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\104 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\11 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\12 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\13 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\14 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\15 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\16 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\17 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\18 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\19 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\2 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\20 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\21 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\22 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\23 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\24 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\25 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\26 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\27 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\28 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\29 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\3 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\30 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\31 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\32 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\33 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\34 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\35 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\36 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\37 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\38 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\39 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\4 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\40 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\41 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\42 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\43 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\44 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\45 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\46 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\47 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\48 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\49 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\5 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\50 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\51 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\52 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\53 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\54 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\55 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\56 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\57 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\58 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\59 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\6 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\60 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\61 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\62 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\63 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\64 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\65 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\66 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\67 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\68 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\69 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\7 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\70 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\71 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\72 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\73 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\74 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\75 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\76 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\77 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\78 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\79 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\8 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\80 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\81 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\82 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\83 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\84 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\85 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\86 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\87 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\88 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\89 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\9 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\90 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\91 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\92 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\93 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\94 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\95 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\96 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\97 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\98 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\cache\99 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\etc\admin.vfs D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\etc\default.vfs D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\etc\GroupIdTable D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\etc\Hosts.Rules D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\etc\ioftpd.env D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\etc\speed.vfs D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\etc\symcheck.vfs D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\etc\UserIdTable D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\groups\1 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\groups\101 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\groups\102 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\groups\103 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\groups\104 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\groups\105 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\groups\106 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\groups\Default.Group D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\assoc.help D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\chaninfo.help D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\channels.help D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\cmds1.help D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\cmds2.help D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\cmd_resolve.help D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\console.help D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\Cookies.docs D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\core.help D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\help.db D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\help.msg D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\irc.help D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\msg D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\server.help D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\set D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\share.help D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\userinfo.help D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\msg\irc.help D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\msg\userinfo.help D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\set\channels.help D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\set\cmds1.help D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\set\compress.help D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\set\console.help D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\set\ctcp.help D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\set\irc.help D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\set\server.help D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\help\set\transfer.help D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\language\assoc.english.lang D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\language\console.english.lang D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\language\core.english.lang D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\language\transfer.english.lang D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\dde1.2 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\reg1.1 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\dde1.2\pkgIndex.tcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\dde1.2\tcldde12.dll D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\reg1.1\pkgIndex.tcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\reg1.1\tclreg11.dll D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\auto.tcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\history.tcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\http1.0 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\http2.4 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\init.tcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\ldAout.tcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\msgcat1.3 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\opt0.4 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\package.tcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\parray.tcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\safe.tcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\tclIndex D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\tcltest2.2 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\word.tcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\ascii.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\big5.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp1250.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp1251.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp1252.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp1253.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp1254.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp1255.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp1256.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp1257.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp1258.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp437.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp737.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp775.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp850.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp852.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp855.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp857.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp860.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp861.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp862.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp863.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp864.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp865.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp866.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp869.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp874.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp932.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp936.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp949.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\cp950.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\dingbats.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\ebcdic.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\euc-cn.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\euc-jp.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\euc-kr.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\gb12345.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\gb1988.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\gb2312.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso2022-jp.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso2022-kr.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso2022.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso8859-1.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso8859-10.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso8859-13.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso8859-14.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso8859-15.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso8859-16.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso8859-2.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso8859-3.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso8859-4.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso8859-5.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso8859-6.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso8859-7.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso8859-8.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\iso8859-9.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\jis0201.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\jis0208.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\jis0212.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\koi8-r.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\koi8-u.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\ksc5601.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\macCentEuro.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\macCroatian.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\macCyrillic.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\macDingbats.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\macGreek.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\macIceland.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\macJapan.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\macRoman.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\macRomania.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\macThai.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\macTurkish.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\macUkraine.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\shiftjis.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\symbol.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\encoding\tis-620.enc D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\http1.0\http.tcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\http1.0\pkgIndex.tcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\http2.4\http.tcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\http2.4\pkgIndex.tcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\msgcat1.3\msgcat.tcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\msgcat1.3\pkgIndex.tcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\opt0.4\optparse.tcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\opt0.4\pkgIndex.tcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\tcltest2.2\pkgIndex.tcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\lib\tcl8.4\tcltest2.2\tcltest.tcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\logs\Error.log D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\logs\ioFTPD.log D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\logs\nfos.log D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\logs\SysOp.log D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\logs\SystemError.log D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\logs\xferlog D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\modules\assoc.dll D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\modules\blowfish.dll D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\modules\channels.dll D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\modules\compress.dll D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\modules\console.dll D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\modules\ctcp.dll D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\modules\irc.dll D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\modules\server.dll D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\modules\share.dll D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\modules\transfer.dll D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\action.fix.tcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\bin D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\bquota D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\BQuota.tcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\btrial D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\BTrial.tcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\dZSbot.help D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\dZSbot.tcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\imdb.tcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\init.itcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\ioA D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\ioLATESTDIR.itcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iolimittransfers D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\ioSYMCHECK.itcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iouptime D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iozs D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\nfourl.itcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\Who D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\bin\bnctest.exe D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\bin\curl.exe D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\bin\find.exe D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\bin\ioDiskSpace.exe D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\bin\ioPasswd.exe D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\bquota\BQuotaScheduler.itcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\bquota\OnPreSite.itcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\bquota\OnSiteQuota.itcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\btrial\BTrialCore.itcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\btrial\OnPostSite.itcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\btrial\OnPreSite.itcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\btrial\TrialIdTable D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\ioA\ioA.cfg D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\ioA\ioA.exe D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\ioA\ioA.nuke.log D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\ioA\ioA.nuke.message.msg D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\ioA\ioA.unnuke.log D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\ioA\ioA.unnuke.message.msg D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\ioA\ioA.wipe.log D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\ioA\ioaCommands.log D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\ioGroups.exe D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\ioGroups.ini D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\groupstats.body.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\groupstats.foot.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\groupstats.head.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\groupusers.body.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\groupusers.foot.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\groupusers.head.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\listgroups.body.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\listgroups.foot.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\listgroups.head.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\listusers.body.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\listusers.foot.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\listusers.head.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\sitestats.body.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\userinfo.body.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\userranking.body.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\userstats.body.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\userstats.foot.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iogroups\template\userstats.head.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iolimittransfers\ioLimitTransfers.exe D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iolimittransfers\ioLimitTransfers.ini D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iouptime\ioUptime.exe D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iouptime\ioUptime.ini D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iozs\ioNewDay.exe D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iozs\iozip.dll D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iozs\ioZS.exe D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iozs\ioZS.ini D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iozs\ioZSCleanup.exe D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\iozs\msvcr71.dll D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\SiteWho.exe D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\sitewho.ini D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbot D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_limited D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin\bot.speed.body.download.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin\bot.speed.body.idle.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin\bot.speed.body.upload.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin\bot.speed.foot.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin\bot.speed.not.online.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin\bot.totalbw.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin\downloaders.body.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin\downloaders.foot.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin\downloaders.head.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin\downloaders.nobody.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin\idlers.body.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin\idlers.foot.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin\idlers.head.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin\idlers.nobody.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin\onlineuser.body.download.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin\onlineuser.body.idle.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin\onlineuser.body.upload.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin\onlineuser.foot.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin\onlineuser.head.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin\onlineuser.nobody.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin\uploaders.body.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin\uploaders.foot.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin\uploaders.head.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_admin\uploaders.nobody.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbot\bot.speed.body.download.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbot\bot.speed.body.idle.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbot\bot.speed.body.upload.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbot\bot.speed.foot.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbot\bot.speed.not.online.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbot\bot.totalbw.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbot\downloaders.body.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbot\downloaders.foot.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbot\downloaders.head.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbot\downloaders.nobody.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbot\idlers.body.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbot\idlers.foot.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbot\idlers.head.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbot\idlers.nobody.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbot\onlineuser.body.download.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbot\onlineuser.body.idle.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbot\onlineuser.body.upload.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbot\onlineuser.foot.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbot\onlineuser.head.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbot\onlineuser.nobody.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbot\uploaders.body.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbot\uploaders.foot.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbot\uploaders.head.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_dzsbot\uploaders.nobody.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_limited\onlineuser.body.download.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_limited\onlineuser.body.idle.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_limited\onlineuser.body.upload.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_limited\onlineuser.foot.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_limited\onlineuser.head.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\sitewho\templates_limited\onlineuser.nobody.nfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\scripts\Who\swho.itcl D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\system\ioFTPD.ini D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\system\nkadmioftpd.exe D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\system\php4ts.dll D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\system\tcl84.dll D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\banner D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\motd D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\AllDn.Body D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\AllDn.Footer D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\AllDn.Header D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\AllUp.Body D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\AllUp.Footer D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\AllUp.Header D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\ClientInfo.Download D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\ClientInfo.Idle D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\ClientInfo.Login D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\ClientInfo.Upload D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\ClientList.Download D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\ClientList.Header D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\ClientList.Idle D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\ClientList.Login D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\ClientList.Upload D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\DayDn.Body D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\DayDn.Footer D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\DayDn.Header D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\DayUp.Body D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\DayUp.Footer D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\DayUp.Header D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\GroupInfo.Body D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\GroupInfo.Header D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\GroupList.Body D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\GroupList.Header D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\LogIn D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\LogOut D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\MonthDn.Body D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\MonthDn.Footer D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\MonthDn.Header D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\MonthUp.Body D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\MonthUp.Footer D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\MonthUp.Header D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\TransferComplete D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\UserInfo D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\UserList.Body D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\UserList.Header D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\Welcome D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\WkDn.Body D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\WkDn.Footer D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\WkDn.Header D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\WkUp.Body D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\WkUp.Footer D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\text\ftp\WkUp.Header D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\10 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\11 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\12 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\13 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\14 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\15 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\16 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\17 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\18 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\19 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\20 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\21 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\22 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\23 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\25 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\26 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\27 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\28 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\29 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\30 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\7 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\8 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\9 D:\hacked\TEMP\SBPhile\Windows\nkadmioftpd\users\Default.User
Current thread:
- NKADM rootkit - Something new? Jeremy Pollack (May 26)
- Re: NKADM rootkit - Something new? Brian Eckman (May 26)
- Re: NKADM rootkit - Something new? Harlan Carvey (May 26)
- Re: NKADM rootkit - Something new? Paul Schmehl (May 26)
- Re: NKADM rootkit - Something new? Paul Schmehl (May 27)
- Re: NKADM rootkit - Something new? Robert P. McKenzie (May 27)
- Re: NKADM rootkit - Something new? Pho Man (May 27)
- Re: NKADM rootkit - Something new? Harlan Carvey (May 27)
- RE: NKADM rootkit - Something new? Don Wolf (May 28)
- RE: NKADM rootkit - Something new? Harlan Carvey (May 28)
- Re: NKADM rootkit - Something new? Gadi Evron (May 31)
- Re: NKADM rootkit - Something new? Harlan Carvey (May 26)
- Re: NKADM rootkit - Something new? Brian Eckman (May 26)