Educause Security Discussion mailing list archives
Eggdrop Backdoors on TCP 145 and 2583
From: "Cam Beasley, ISO" <cam () AUSTIN UTEXAS EDU>
Date: Sat, 17 Jan 2004 11:54:06 -0600
Anyone found Eggdrop backdoors listening on TCP 145 or 2583 in the past 3-4 days? TCP 145: [Login:] TCP 2583: [Microsoft Update listner...] The files common are: - injectt.exe (or inject.exe) - tback.dll - tinject.dll The backdoor is injected into LSASS.exe in all of my examples. More on this Trojan at: # http://www.megasecurity.org/trojans/w/wineggdrop/Wineggdropshell_eternity.html # http://securityresponse.symantec.com/avcenter/venc/data/backdoor.eggdrop.html Just curious, b/c I have found a few and I'm trying to confirm the attack vector. ~cam. Cam Beasley ITS - Information Security Office The University of Texas at Austin cam () mail utexas edu --------------------------- Report Abuse To: - abuse () utexas edu --------------------------- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Eggdrop Backdoors on TCP 145 and 2583 Cam Beasley, ISO (Jan 17)
- <Possible follow-ups>
- Re: Eggdrop Backdoors on TCP 145 and 2583 H. Morrow Long (Jan 17)
- Re: Eggdrop Backdoors on TCP 145 and 2583 Jeni Li (Jan 18)