Re: Pdmin / Trojaned csrss.exe

[David Moisan <[EMAIL PROTECTED]>]

At 04:55 PM 8/2/2003 -0500, you wrote:

> The program is run by a troan csrss.exe in C:\winnt\system32\restore and
> is installed at the same time an FTP server is installed.  I did a strings
> on the csrss.exe but turned up nothing that worked as a password.  Can
> anyone tell me more about this program or what it might be.  Or the
> password.

What's the size of your csrss.exe?  There is a legitimate csrss.exe in 
Windows;  it's a stub for the Win32 runtime service and it's 4K in size.  I 
would *not* just delete instances of csrss.exe without further 
investigation as Windows (NT/2K/XP) needs this to run and will bluescreen 
if it is halted.

My home system (XP Pro) does not have a system32\recover directory, nor 
does my test SBS2000 (2K) box.  Are there any other files in 
\winnt\system32\recover?

You could try, if you have 2K or higher, the following:

sfc /scannow

This will scan your system and replace suspicious files;  if csrss was 
replaced in place, this will flush it out.  I don't think this is 
happening, though.

> > One thing we are finding is a program running on port 6651 that identifies
> > itself as  pAdmin - by: pdi in a web browser.  This interface has a place
> > for a password.

What does Task Manager tell you?  If you use Foundstone fport, it should 
tell you exactly what executable is listening on that port;  you should run 
that any time you suspect a trojan.

Take care,

Dave

David Moisan, N1KGH   ARES/SKYWARN             [EMAIL PROTECTED]
Invisible Disability:  http://www.davidmoisan.org/invisible_disability.html
ATS-909 FAQ:  http://www.davidmoisan.org/radio/sangean/ats909faq.html


---------------------------------------------------------------------------
----------------------------------------------------------------------------