Re: Compromised NT box, sniffer and possible backdoor

[Runar Jensen <rje () PAX PRIV NO>]

At 11:29 12.10.00 -0400, Ron Gula wrote:

> and contained a session with apparently three Trojan programs. The
> first was a program renamed 'pbrush32' which when ran printed out
> a list of system processes. The second was a program called 'print16'
> which possibly effected one of the running processes. What I thought
> was really interesting though was adding a sniffer to the wins.bat
> log file named 'wins16.exe'.
> ...
> C:\WINNT\system32>{A}
> pbrush32{A}
> {D}{A}
> C:\WINNT\system32>pbrush32{D}{A}
>   0 System Process  {D}{A}
>   2 System          {D}{A}
>  25 SMSS.EXE        {D}{A}
>  33 CSRSS.EXE       {D}{A}

Just thought I'd mention that the output from pbrush32 certainly looks
a lot like what you'd get from "tlist.exe", a utility included in the NT 4.0
Resource Kit used to list processes.

.../ru