Matthew.Daltonat_private wrote: > One thing while investigating this that I have noticed is that in the directory c:\WINNT\system32\dhcp (even on XP systems with the system folder of c:\WINDOWS). This directory is hidden, but contains quite a bit of the files that have been loaded. Included in this is a config file: winexplorer.dll. In this are some password hashes: > > LocalSetupPassword=45244E5D5D024857420D585F > User1=admin|1|0 > SignOn=C:\WINNT\system32\dhcp\ntlmconf.dll > User2=curry|1|0 > [USER=curry|1] > Password=qa0F1DD1B0149057FE700DFCC8330DAAEA > [USER=admin|1] > Password=4C2F4F4D540E5956435A15 > > > I'm not positive which hash functions (obviously something in Hex, MD4, salted MD5?) these are in, but it would be worth taking a look at. > > I think this is for the FTP server. This kit has two parts. One is an FTP server that I can only assumed is being used for distribution of warez and such. The web interface is what is interesting to me. Nessus seems to report this as an apache server. I would be neat to know what it can do. Jason --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Aug 04 2003 - 14:36:42 PDT