Re: Pdmin / Trojaned csrss.exe

From: Matthew.Daltonat_private
Date: Mon Aug 04 2003 - 13:39:12 PDT

Next message: morning_wood: "[Full-Disclosure] HTML FORMATED MAIL ( ie - oe - html ) bgsound local file - ding?"

Previous message: Jason Alexander: "Re: Pdmin / Trojaned csrss.exe"
In reply to: Jason Alexander: "Re: Pdmin / Trojaned csrss.exe"
Next in thread: Jason Alexander: "Re: Pdmin / Trojaned csrss.exe"
Reply: Jason Alexander: "Re: Pdmin / Trojaned csrss.exe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

One thing while investigating this that I have noticed is that in the directory c:\WINNT\system32\dhcp (even on XP systems with the system folder of c:\WINDOWS).  This directory is hidden, but contains quite a bit of the files that have been loaded.  Included in this is a config file: winexplorer.dll.  In this are some password hashes:

LocalSetupPassword=45244E5D5D024857420D585F
User1=admin|1|0
SignOn=C:\WINNT\system32\dhcp\ntlmconf.dll
User2=curry|1|0
[USER=curry|1]
Password=qa0F1DD1B0149057FE700DFCC8330DAAEA
[USER=admin|1]
Password=4C2F4F4D540E5956435A15


I'm not positive which hash functions (obviously something in Hex, MD4, salted MD5?) these are in, but it would be worth taking a look at.


--
**************************************************************************
|Matthew Dalton                     |                                    |
|ITS Security Group                 |Email: Matthew.Daltonat_private |
|University of Rochester            |                                    |
|Rochester, NY 14620                |                                    |
**************************************************************************


On Mon, 4 Aug 2003, Jason Alexander wrote:

> Hello,
> 
> I just mailed out the csrss.exe binary to everyone who asked for it.  If
> anyone else would like this just let me know.  I have what we belive to 
> be the complete kit.
> Jason
> 
> 
> Jason Alexander wrote:
> > Hello all,
> > 
> > Were seeing some machine compromised becasue of the RPC/DCOM issues where
> > they didn't get patched in time.
> > 
> > One thing we are finding is a program running on port 6651 that identifies
> > itself as  pAdmin - by: pdi in a web browser.  This interface has a place
> > for a password.
> > 
> > The program is run by a troan csrss.exe in C:\winnt\system32\restore and
> > is installed at the same time an FTP server is installed.  I did a strings
> > on the csrss.exe but turned up nothing that worked as a password.  Can
> > anyone tell me more about this program or what it might be.  Or the
> > password.
> > 
> > Our virus scanners don't seem to detect it but there is something called
> > Backdoor.Padmin that is listed in Nortons Database.  But very little
> > information is given.
> > 
> > Thanks
> > Jason Alexander
> > 
> > ---------------------------------------------------------------------------
> > ----------------------------------------------------------------------------
> > 
> 
> 
> 
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
> 
> 


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: morning_wood: "[Full-Disclosure] HTML FORMATED MAIL ( ie - oe - html ) bgsound local file - ding?"
Previous message: Jason Alexander: "Re: Pdmin / Trojaned csrss.exe"
In reply to: Jason Alexander: "Re: Pdmin / Trojaned csrss.exe"
Next in thread: Jason Alexander: "Re: Pdmin / Trojaned csrss.exe"
Reply: Jason Alexander: "Re: Pdmin / Trojaned csrss.exe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 04 2003 - 14:40:21 PDT