Security Incidents mailing list archives
RE: IIS 4 inetinfo and system process port usage
From: "Andrew Kunz" <kunza () tdbank ca>
Date: Mon, 25 Jun 2001 14:21:54 -0400
killing the process is probably not such a nice thing to do. Inetinfo is multiple services and perhaps your leaving a stray thread hanging onto the port in question. try shutting down the ftp service net stop msftpsvc or shutdown iis alltogether net stop iisadmin /y Andrew -----Original Message----- From: James.A.Tucker () Lowes Com [mailto:James.A.Tucker () Lowes Com] Sent: Monday, June 25, 2001 9:32 AM To: incidents () securityfocus com Subject: IIS 4 inetinfo and system process port usage I tried posting this to the Security Basics group but it was rejected by the moderator. Hopefully, this group will accept it. If not, please advise which group I can post this topic to as I would like to here other's opinions. Thanks <original message> I'm seeing an odd behavior with an IIS 4 server. Prior to killing the inetinfo process, my fport scan shows two processes traced to ports 21,25, and 80; the inetinfo process and system process. This appears to be normal based on other fport scans I've done. What's odd is if I kill the inetinfo process on this one IIS 4 server and run a fport scan, the system process is still listed as listening on ports 21,25, and 80. If I attempt to restart the web service and start up a virtual server in Internet Service Manager I get a "Winsock error" that the port is already in use. I was able to connect to port 80 via NetCat, but it did not return the IIS 4 banner like usual. I've checked for common back door trojans, NetBus, Back Orifice, SubSeven, but found nothing. Has anyone else seen this type of behavior? Could this be a rootkit running in the system process which waits to take over the inetinfo ports whenever it goes down? Or is this just a problem of the NT OS not releasing the ports properly? Stumped. </end original message> ------- James A. Tucker Senior Analyst Lowe's Companies, Inc. Email: james.a.tucker () lowes com This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- IIS 4 inetinfo and system process port usage James . A . Tucker (Jun 25)
- RE: IIS 4 inetinfo and system process port usage Andrew Kunz (Jun 26)