[unisog] RPCwhore

Steve Bernard sbernard at gmu.edu
Mon Aug 18 19:28:34 GMT 2003


So far, all of the machines that I've looked at were trojaned with either
Backdoor.Hale,
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.hale.html
or Backdoor.Padmin,
http://securityresponse.symantec.com/avcenter/venc/dyn/40240.html.

Removing the backdoor per instructions stopped the IRC connections. On some
of the machines, the IRC connections were being initiated by a file named,
csrss.exe, running on port 1030. This is consistent with the Backdoor.Hale
trojan. I also found connections originating from each of the following
ports on various boxes, which I haven't been able to evaluate yet. Because
there were multiple hosts using each of the respective ports I am assuming
that they aren't all random high ports chosen by the client. This may be the
result of other backdoors being used to join the same channel. When
connecting to the IP address 66.98.158.31, the destination port has always
been TCP 56498.


Client ports seen
-----------------
1026, 1029, 1030, 1037, 1038, 1201, 1257, 1290, 1705
1755, 1845, 1939, 1973, 2245, 2758, 2864, 3397, 4015
4540, 4706, 4773


Jon Miyake's explanation of what he has seen at UO provides more detail
about specifics that others may also be experiencing.


Regards,

Steve Bernard
Sr. Systems Engineer, NET
George Mason University
Fairfax, Virginia



More information about the unisog mailing list