|
Security Basics
mailing list archives
RE: Possible Trojan.
From: "Bob Beck" <goodfela26 () finneganfamily net>
Date: Mon, 27 Oct 2003 15:55:17 -0500
http://support.microsoft.com/default.aspx?scid=KB;EN-US;q263201&;
winlogon.exe is a basic windows service in win2k and it runs from the
system32 folder.
If it was running from anywhere else, then I've read that it would probably
be a porn dialer.
Heh, I noticed your email address also...Go Flyers! :)
-----Original Message-----
From: Gene [mailto:flyersfanindc () yahoo com]
Sent: Monday, October 27, 2003 2:43 PM
To: security-basics () securityfocus com
Subject: Possible Trojan.
Have a buddy complaining about his AOL account password being stolen every
time he logs onto AOL from his PC at work. I talked him through doing an
fport on his box and he sent me the results: Pid Process Port
Proto Path 8 System -> 1097 TCP 8 System -> 139
TCP 8 System -> 445 TCP 1916 aolwbspd -> 11523 TCP
C:\Program Files\America Online 9.0\aolwbsp d.exe 676 OUTLOOK ->
1125 TCP C:\Program Files\Microsoft Office\Office10\ OUTLOOK.EXE 676
OUTLOOK -> 1129 TCP C:\Program Files\Microsoft Office\Office10\
OUTLOOK.EXE 856 MSTask -> 1051 TCP
C:\WINNT\system32\MSTask.exe 988 svchost -> 1132 TCP
C:\WINNT\system32\svchost.exe 988 svchost -> 1134 TCP
C:\WINNT\system32\svchost.exe 988 svchost -> 1139 TCP
C:\WINNT\system32\svchost.exe 452 svchost -> 135 TCP
C:\WINNT\system32\svchost.exe 8 System -> 137 UDP 8
System -> 138 UDP 8 System -> 445 UDP 1820
-> 1849 UDP C:\Program Files\America Online 9.0\waol.ex e 1688
IEXPLORE -> 1191 UDP C:\Program Files\Internet Explorer\IEXPLORE
.EXE 1856 IEXPLORE -> 1784 UDP C:\Program Files\Internet
Explorer\IEXPLORE .EXE 676 OUTLOOK -> 1126 UDP C:\Program
Files\Microsoft Office\Office10\ OUTLOOK.EXE 676 OUTLOOK -> 1127
UDP C:\Program Files\Microsoft Office\Office10\ OUTLOOK.EXE 676
OK -> 1182 UDP C:\Program Files\Microsoft Office\Office10\
OUTLOOK.EXE 800 rtvscan -> 2967 UDP C:\Program
Files\NavNT\rtvscan.exe 268 lsass -> 500 UDP
C:\WINNT\system32\lsass.exe 228 winlogon -> 1053 UDP
\??\C:\WINNT\system32\winlogon.exe I'm really concerned with the last one:
228 winlogon -> 1053 UDP \??\C:\WINNT\system32\winlogon.exe
I've found some things on the net that say it's legit, I've found others
that say it's indicative of a backdoor. I ran fport on my box and did not
have any entries like that. Does anyone have any information on this? Are
there other entries that attract anyone else's attention? Your help is
appreciated.
---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to
simplify the management and deployment of PGP and reduce overall PGP costs
by up to 80%.
FREE WHITEPAPER & 30 Day Trial -
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
----------------------------------------------------------------------------
---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to
simplify the management and deployment of PGP and reduce overall PGP costs
by up to 80%.
FREE WHITEPAPER & 30 Day Trial -
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
----------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
|
Intro
