That's because the 'wemilo' string is unicode. Try looking for "w\0e\0m\0i\0l\0o\0". Also, there's a version of 'strings' for NT that does both ASCII strings and Unicode strings over at www.sysinternals.com in the 'miscellaneous' section of their NT stuff. -- dil > Date: Fri, 28 Apr 2000 10:30:37 -0500 > From: Bill Borton <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: Alert: Cart32 secret password backdoor (CISADV000427) > > Greetings, > > I have a client using cart32 2.6 so I went to the cart32clientlist url > mentioned in the alert and sure enough if dumped the hashed password > list. I high-tailed it over there and open up the cart32.exe and was unable > to find the "wemilo" password anywhere. Now this could be my fault, heck > I haven't touched a hex editor in ages, but still it prompted me to go back > to the clientlist url and try some random charecters instead of "wemilo". > Well, it happily dumped the client list again. Just to make sure it wasn't > just me I went out on the web and tried it at several sites running cart32 > (2.6 and 3.0) and all but one case it dumped the client list. The one > that didn't show a list DID show the open database messages so I think > maybe it just wasn't set up. I may be missing something here but it seems > to me you don't have to even know the "backdoor password" to dump the > client list and hashes. > > my 2 cents, > -Bill >