|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Pdmin / Trojaned csrss.exe
Matthew.Dalton
rochester.edu
Date: Mon Aug 04 2003 - 15:39:12 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
One thing while investigating this that I have noticed is that in the directory c:\WINNT\system32\dhcp (even on XP systems with the system folder of c:\WINDOWS). This directory is hidden, but contains quite a bit of the files that have been loaded. Included in this is a config file: winexplorer.dll. In this are some password hashes:
LocalSetupPassword=45244E5D5D024857420D585F
User1=admin|1|0
SignOn=C:\WINNT\system32\dhcp\ntlmconf.dll
User2=curry|1|0
[USER=curry|1]
Password=qa0F1DD1B0149057FE700DFCC8330DAAEA
[USER=admin|1]
Password=4C2F4F4D540E5956435A15
I'm not positive which hash functions (obviously something in Hex, MD4, salted MD5?) these are in, but it would be worth taking a look at.
--
**************************************************************************
|Matthew Dalton | |
|ITS Security Group |Email: Matthew.Daltonrochester.edu |
|University of Rochester | |
|Rochester, NY 14620 | |
**************************************************************************
On Mon, 4 Aug 2003, Jason Alexander wrote:
> Hello,
>
> I just mailed out the csrss.exe binary to everyone who asked for it. If
> anyone else would like this just let me know. I have what we belive to
> be the complete kit.
> Jason
>
>
> Jason Alexander wrote:
> > Hello all,
> >
> > Were seeing some machine compromised becasue of the RPC/DCOM issues where
> > they didn't get patched in time.
> >
> > One thing we are finding is a program running on port 6651 that identifies
> > itself as pAdmin - by: pdi in a web browser. This interface has a place
> > for a password.
> >
> > The program is run by a troan csrss.exe in C:\winnt\system32\restore and
> > is installed at the same time an FTP server is installed. I did a strings
> > on the csrss.exe but turned up nothing that worked as a password. Can
> > anyone tell me more about this program or what it might be. Or the
> > password.
> >
> > Our virus scanners don't seem to detect it but there is something called
> > Backdoor.Padmin that is listed in Nortons Database. But very little
> > information is given.
> >
> > Thanks
> > Jason Alexander
> >
> > ---------------------------------------------------------------------------
> > ----------------------------------------------------------------------------
> >
>
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
>
>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]