Educause Security Discussion mailing list archives

Eggdrop Backdoors on TCP 145 and 2583

From: "Cam Beasley, ISO" <cam () AUSTIN UTEXAS EDU>
Date: Sat, 17 Jan 2004 11:54:06 -0600

Anyone found Eggdrop backdoors
listening on TCP 145 or 2583 in
the past 3-4 days?

TCP 145:        [Login:]
TCP 2583:       [Microsoft Update listner...]

The files common are:

        - injectt.exe (or inject.exe)
        - tback.dll
        - tinject.dll

The backdoor is injected into LSASS.exe
in all of my examples.

More on this Trojan at:

# http://www.megasecurity.org/trojans/w/wineggdrop/Wineggdropshell_eternity.html
# http://securityresponse.symantec.com/avcenter/venc/data/backdoor.eggdrop.html

Just curious, b/c I have found a few
and I'm trying to confirm the attack vector.

~cam.

Cam Beasley
ITS - Information Security Office
The University of Texas at Austin
cam () mail utexas edu
---------------------------
Report Abuse To:
- abuse () utexas edu
---------------------------

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Eggdrop Backdoors on TCP 145 and 2583 Cam Beasley, ISO (Jan 17)
- <Possible follow-ups>
- Re: Eggdrop Backdoors on TCP 145 and 2583 H. Morrow Long (Jan 17)
- Re: Eggdrop Backdoors on TCP 145 and 2583 Jeni Li (Jan 18)