Hello, I just mailed out the csrss.exe binary to everyone who asked for it. If anyone else would like this just let me know. I have what we belive to be the complete kit. Jason Jason Alexander wrote: > Hello all, > > Were seeing some machine compromised becasue of the RPC/DCOM issues where > they didn't get patched in time. > > One thing we are finding is a program running on port 6651 that identifies > itself as pAdmin - by: pdi in a web browser. This interface has a place > for a password. > > The program is run by a troan csrss.exe in C:\winnt\system32\restore and > is installed at the same time an FTP server is installed. I did a strings > on the csrss.exe but turned up nothing that worked as a password. Can > anyone tell me more about this program or what it might be. Or the > password. > > Our virus scanners don't seem to detect it but there is something called > Backdoor.Padmin that is listed in Nortons Database. But very little > information is given. > > Thanks > Jason Alexander > > --------------------------------------------------------------------------- > ---------------------------------------------------------------------------- > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Aug 04 2003 - 09:46:38 PDT