Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: Pdmin / Trojaned csrss.exe
.

  • To: [EMAIL PROTECTED]
  • Subject: Re: Pdmin / Trojaned csrss.exe
  • From: Jason Alexander <[EMAIL PROTECTED]>
  • Date: Mon, 04 Aug 2003 15:43:43 -0500
  • Cc: [EMAIL PROTECTED]
  • In-reply-to: <[EMAIL PROTECTED]>
  • References: <[EMAIL PROTECTED]>
.
 
[EMAIL PROTECTED] wrote:

One thing while investigating this that I have noticed is that in the directory c:\WINNT\system32\dhcp (even on XP systems with the system folder of c:\WINDOWS).  This directory is hidden, but contains quite a bit of the files that have been loaded.  Included in this is a config file: winexplorer.dll.  In this are some password hashes:

LocalSetupPassword=45244E5D5D024857420D585F
User1=admin|1|0
SignOn=C:\WINNT\system32\dhcp\ntlmconf.dll
User2=curry|1|0
[USER=curry|1]
Password=qa0F1DD1B0149057FE700DFCC8330DAAEA
[USER=admin|1]
Password=4C2F4F4D540E5956435A15


I'm not positive which hash functions (obviously something in Hex, MD4, salted MD5?) these are in, but it would be worth taking a look at.
I think this is for the FTP server. This kit has two parts. One is an FTP server that I can only assumed is being used for distribution of 
warez and such.  The web interface is what is interesting to me.  Nessus
seems to report this as an apache server. I would be neat to know
what it can do.

Jason



---------------------------------------------------------------------------
----------------------------------------------------------------------------
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.