We found a couple of versions of this as well... pAdmin - by: pdi listening on 6651/tcp pAdmin v1.0D (Haley) - by: pdi listening on 6351/tcp One box had the 2nd pAdmin version listening on 6351,6352, & 6353. There was also a pAdmin.BNC listening on 6565/tcp that appears to be an irc bouncer version. All systems had a Serv-U FTP daemon listening on 48522/tcp with a banner of "Welcome To The Consultant's Ftp" I too would love to have some more info on this little app. Thanks Rob -----Original Message----- From: Jason Alexander [mailto:listsat_private] Sent: Saturday, August 02, 2003 5:55 PM To: incidentsat_private Subject: Pdmin / Trojaned csrss.exe Hello all, Were seeing some machine compromised becasue of the RPC/DCOM issues where they didn't get patched in time. One thing we are finding is a program running on port 6651 that identifies itself as pAdmin - by: pdi in a web browser. This interface has a place for a password. The program is run by a troan csrss.exe in C:\winnt\system32\restore and is installed at the same time an FTP server is installed. I did a strings on the csrss.exe but turned up nothing that worked as a password. Can anyone tell me more about this program or what it might be. Or the password. Our virus scanners don't seem to detect it but there is something called Backdoor.Padmin that is listed in Nortons Database. But very little information is given. Thanks Jason Alexander --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Aug 04 2003 - 08:31:43 PDT