Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Pdmin / Trojaned csrss.exe
.

  • To: [EMAIL PROTECTED]
  • Subject: Pdmin / Trojaned csrss.exe
  • From: "Jason Alexander" <[EMAIL PROTECTED]>
  • Date: Sat, 2 Aug 2003 16:55:21 -0500 (CDT)
.
 
Hello all,

Were seeing some machine compromised becasue of the RPC/DCOM issues where
they didn't get patched in time.

One thing we are finding is a program running on port 6651 that identifies
itself as  pAdmin - by: pdi in a web browser.  This interface has a place
for a password.

The program is run by a troan csrss.exe in C:\winnt\system32\restore and
is installed at the same time an FTP server is installed.  I did a strings
on the csrss.exe but turned up nothing that worked as a password.  Can
anyone tell me more about this program or what it might be.  Or the
password.

Our virus scanners don't seem to detect it but there is something called
Backdoor.Padmin that is listed in Nortons Database.  But very little
information is given.

Thanks
Jason Alexander

---------------------------------------------------------------------------
----------------------------------------------------------------------------
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.