Pdmin / Trojaned csrss.exe

From: Jason Alexander (listsat_private)
Date: Sat Aug 02 2003 - 14:55:21 PDT

Next message: Sam Evans: "Re: WORM_MIMAIL.A Anyone have any info on what this does yet?"

Previous message: Jan Soubusta: "Re: RPC DCOM exploit"
Next in thread: Schrack, Robert: "RE: Pdmin / Trojaned csrss.exe"
Reply: Schrack, Robert: "RE: Pdmin / Trojaned csrss.exe"
Reply: Jason Alexander: "Re: Pdmin / Trojaned csrss.exe"
Reply: David Moisan: "Re: Pdmin / Trojaned csrss.exe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello all,

Were seeing some machine compromised becasue of the RPC/DCOM issues where
they didn't get patched in time.

One thing we are finding is a program running on port 6651 that identifies
itself as  pAdmin - by: pdi in a web browser.  This interface has a place
for a password.

The program is run by a troan csrss.exe in C:\winnt\system32\restore and
is installed at the same time an FTP server is installed.  I did a strings
on the csrss.exe but turned up nothing that worked as a password.  Can
anyone tell me more about this program or what it might be.  Or the
password.

Our virus scanners don't seem to detect it but there is something called
Backdoor.Padmin that is listed in Nortons Database.  But very little
information is given.

Thanks
Jason Alexander

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Sam Evans: "Re: WORM_MIMAIL.A Anyone have any info on what this does yet?"
Previous message: Jan Soubusta: "Re: RPC DCOM exploit"
Next in thread: Schrack, Robert: "RE: Pdmin / Trojaned csrss.exe"
Reply: Schrack, Robert: "RE: Pdmin / Trojaned csrss.exe"
Reply: Jason Alexander: "Re: Pdmin / Trojaned csrss.exe"
Reply: David Moisan: "Re: Pdmin / Trojaned csrss.exe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Aug 03 2003 - 08:37:41 PDT