I found a file called winreg on a box containing FTP users and passes...
then I found whost.bat which contained
"rundll32 winhost.dll,RundllInstall SENS"
Anyone know what program is sniffing thoose FTP logins?

I think that winhost.dll is the file .ini with account of a serv-u modded.

Can you show us the content of this files? And mask passwords and logins ofcorse

I got more info on it now

copy testdll.dll %systemroot%\system32\iat.dll
copy launcher.exe %systemroot%\system32\senss.exe
rundll32 Winhost.dll,RundllInstall SENS

injects into winlogon.exe and logs FTP connections outgoing and ingoing on all ports

in winreg it looks like following
Port : 110 USER rwogle


Port : 110 PASS Red!51neck


Port : 110 PASS 424242


Port : 110 USER sjain3

Etc.

I also found a script of his to DL the files and install them, i'll upload it if its wanted..

of course show us.

does that thing only log ftp accesses or also other sorts of authentiation, as http oder netbios ?

Only FTP... this dude is sick, he injects like 3 dll's into winlogon and installs rootkits, winshell and like 20MB of crap

it seems that it a function keylog of wollf manage i think

Here is the sniffing files ..

where ? can the others see some files / links? hmm hope this isn't a problem of mine :/

noname

i cant too

lol
they're not there

It must have been messed up somehow, anyway. http://www.sexplorer.it/sniffer.rar
there they are..

seems not too easy to know from where is from, what it do, and how it do...
now im very interested in your question ...
anyone have an opinion?

Hey Thom, give us those files , becouse they aren't there. Please.