Security Incidents mailing list archives
Re: Compromised NT box, sniffer and possible backdoor
From: Runar Jensen <rje () PAX PRIV NO>
Date: Fri, 13 Oct 2000 10:13:19 +0200
At 11:29 12.10.00 -0400, Ron Gula wrote:
and contained a session with apparently three Trojan programs. The first was a program renamed 'pbrush32' which when ran printed out a list of system processes. The second was a program called 'print16' which possibly effected one of the running processes. What I thought was really interesting though was adding a sniffer to the wins.bat log file named 'wins16.exe'. ... C:\WINNT\system32>{A} pbrush32{A} {D}{A} C:\WINNT\system32>pbrush32{D}{A} 0 System Process {D}{A} 2 System {D}{A} 25 SMSS.EXE {D}{A} 33 CSRSS.EXE {D}{A}
Just thought I'd mention that the output from pbrush32 certainly looks a lot like what you'd get from "tlist.exe", a utility included in the NT 4.0 Resource Kit used to list processes. .../ru
Current thread:
- Compromised NT box, sniffer and possible backdoor Ron Gula (Oct 12)
- Re: Compromised NT box, sniffer and possible backdoor Runar Jensen (Oct 13)