Hello all, Were seeing some machine compromised becasue of the RPC/DCOM issues where they didn't get patched in time. One thing we are finding is a program running on port 6651 that identifies itself as pAdmin - by: pdi in a web browser. This interface has a place for a password. The program is run by a troan csrss.exe in C:\winnt\system32\restore and is installed at the same time an FTP server is installed. I did a strings on the csrss.exe but turned up nothing that worked as a password. Can anyone tell me more about this program or what it might be. Or the password. Our virus scanners don't seem to detect it but there is something called Backdoor.Padmin that is listed in Nortons Database. But very little information is given. Thanks Jason Alexander --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sun Aug 03 2003 - 08:37:41 PDT