Security Incidents mailing list archives
Re: Port 109 Mystery
From: Loki <loki () fatelabs com>
Date: 11 Mar 2003 16:52:23 -0500
Doug, This may have been something you tried, but looking at that path, it looks like fport doesnt know how to interpret the initial dir name. Is it an ascii char space ALT-255, etc? Alt-255 directories will not show up at all in windows. It looks like someone either copied winlogin.exe to another dir and bound it to port 109, or its not winlogin at all, and rather, a trojan thats been renamed to winlogin to fool the admin. I responded to a machine once where an ircbot and servu were renamed to look like printspool and spsvc.exe Here are things to try: 1. Run a netstat -an and see if there are any connections in/out of that port. 2. Put a sniffer on that segment and tcpdump any port 109 traffic. 3. locate that file and run a $ strings <file> on it and check out the goods. Just my 2 cents. Eric On Wed, 2003-03-12 at 11:54, Douglas Brown wrote:
Got a server with port 109 open, requesting a password. Pop-2 is not running, various trojan and av cleaning tools have been run, various registry keys have been checked manually. Fport reports a PID of 220 - running PSKill on that PID results in a reboot. Fport seems to be unsure of the path to the *.exe. The winlogon.exe has been replaced with a known good copy. Various tests included below. Has anyone else seen anything along these lines or have any advice to offer? Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on (*.*.*.*): (The 65522 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 80/tcp open http 109/tcp open pop-2 135/tcp open loc-srv 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 1040/tcp open unknown 1051/tcp open unknown 1052/tcp open unknown 1433/tcp open ms-sql-s 3306/tcp open mysql 3389/tcp open ms-term-serv Remote operating system guess: Windows 2000/XP/ME # nc *.*.*.* 109 Password: FPort v1.33 - TCP/IP Process to Port Mapper Copyright 2000 by Foundstone, Inc. http://www.foundstone.com Pid Process Port Proto Path 220 winlogon -> 109 TCP \??\C:\WINNT\system32\winlogon.exe thanks, -Doug
-- Loki <loki () fatelabs com> ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
Current thread:
- Port 109 Mystery Douglas Brown (Mar 12)
- Re: Port 109 Mystery Loki (Mar 12)
- RE: Port 109 Mystery James C Slora Jr (Mar 13)
- Re: [unisog] Port 109 Mystery Andy Polyakov (Mar 13)
- <Possible follow-ups>
- Re: Port 109 Mystery Douglas Brown (Mar 13)