One thing while investigating this that I have noticed is that in the directory c:\WINNT\system32\dhcp (even on XP systems with the system folder of c:\WINDOWS). This directory is hidden, but contains quite a bit of the files that have been loaded. Included in this is a config file: winexplorer.dll. In this are some password hashes: LocalSetupPassword=45244E5D5D024857420D585F User1=admin|1|0 SignOn=C:\WINNT\system32\dhcp\ntlmconf.dll User2=curry|1|0 [USER=curry|1] Password=qa0F1DD1B0149057FE700DFCC8330DAAEA [USER=admin|1] Password=4C2F4F4D540E5956435A15 I'm not positive which hash functions (obviously something in Hex, MD4, salted MD5?) these are in, but it would be worth taking a look at. -- ************************************************************************** |Matthew Dalton | | |ITS Security Group |Email: Matthew.Daltonat_private | |University of Rochester | | |Rochester, NY 14620 | | ************************************************************************** On Mon, 4 Aug 2003, Jason Alexander wrote: > Hello, > > I just mailed out the csrss.exe binary to everyone who asked for it. If > anyone else would like this just let me know. I have what we belive to > be the complete kit. > Jason > > > Jason Alexander wrote: > > Hello all, > > > > Were seeing some machine compromised becasue of the RPC/DCOM issues where > > they didn't get patched in time. > > > > One thing we are finding is a program running on port 6651 that identifies > > itself as pAdmin - by: pdi in a web browser. This interface has a place > > for a password. > > > > The program is run by a troan csrss.exe in C:\winnt\system32\restore and > > is installed at the same time an FTP server is installed. I did a strings > > on the csrss.exe but turned up nothing that worked as a password. Can > > anyone tell me more about this program or what it might be. Or the > > password. > > > > Our virus scanners don't seem to detect it but there is something called > > Backdoor.Padmin that is listed in Nortons Database. But very little > > information is given. > > > > Thanks > > Jason Alexander > > > > --------------------------------------------------------------------------- > > ---------------------------------------------------------------------------- > > > > > > --------------------------------------------------------------------------- > ---------------------------------------------------------------------------- > > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Aug 04 2003 - 14:40:21 PDT