|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Pdmin / Trojaned csrss.exe
From: Jason Alexander (lists
itsecurity3.its.uiowa.edu)
Date: Mon Aug 04 2003 - 11:30:28 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello,
I just mailed out the csrss.exe binary to everyone who asked for it. If
anyone else would like this just let me know. I have what we belive to
be the complete kit.
Jason
Jason Alexander wrote:
> Hello all,
>
> Were seeing some machine compromised becasue of the RPC/DCOM issues where
> they didn't get patched in time.
>
> One thing we are finding is a program running on port 6651 that identifies
> itself as pAdmin - by: pdi in a web browser. This interface has a place
> for a password.
>
> The program is run by a troan csrss.exe in C:\winnt\system32\restore and
> is installed at the same time an FTP server is installed. I did a strings
> on the csrss.exe but turned up nothing that worked as a password. Can
> anyone tell me more about this program or what it might be. Or the
> password.
>
> Our virus scanners don't seem to detect it but there is something called
> Backdoor.Padmin that is listed in Nortons Database. But very little
> information is given.
>
> Thanks
> Jason Alexander
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]