|
Security Incidents
mailing list archives
Re: [unisog] Port 109 Mystery
From: Andy Polyakov <appro () fy chalmers se>
Date: Thu, 13 Mar 2003 10:01:27 +0100
Got a server with port 109 open, requesting a password. Pop-2 is not
running, various trojan and av cleaning tools have been run, various
registry keys have been checked manually. Fport reports a PID of 220 -
running PSKill on that PID results in a reboot.
If you kill legitimate [console] winlogon the system does reboot...
Fport seems to be
unsure of the path to the *.exe. The winlogon.exe has been replaced
with a known good copy.
I assume this means that even after winlogon.exe was "restored," it's
still found listening at port 109...
FPort v1.33 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com
Pid Process Port Proto Path
220 winlogon -> 109 TCP \??\C:\WINNT\system32\winlogon.exe
What might be going on is following. A malicious program runs upon
start-up, but instead of keeping running in background, it injects a
thread into winlogon.exe and terminates. Even though it's perfectly
possible to inject sheer machine code directly into virtual address
space of another process, it's way simpler to map a DLL instead. For
this reason I'd recommend to list DLLs mapped by winlogin (as already
was suggested) and compare the output with another machine. A.
----------------------------------------------------------------------------
<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>
 By Date 
By Thread
Current thread:
| 
Intro
