Re: [unisog] Port 109 Mystery

[Andy Polyakov <appro () fy chalmers se>]

> Got a server with port 109 open, requesting a password.  Pop-2 is not
> running, various trojan and av cleaning tools have been run, various
> registry keys have been checked manually.  Fport reports a PID of 220 -
> running PSKill on that PID results in a reboot.

If you kill legitimate [console] winlogon the system does reboot...

> Fport seems to be
> unsure of the path to the *.exe.  The winlogon.exe has been replaced
> with a known good copy.

I assume this means that even after winlogon.exe was "restored," it's
still found listening at port 109...

> FPort v1.33 - TCP/IP Process to Port Mapper
> Copyright 2000 by Foundstone, Inc.
> http://www.foundstone.com
> Pid   Process            Port  Proto Path
> 220   winlogon       ->  109   TCP   \??\C:\WINNT\system32\winlogon.exe

What might be going on is following. A malicious program runs upon
start-up, but instead of keeping running in background, it injects a
thread into winlogon.exe and terminates. Even though it's perfectly
possible to inject sheer machine code directly into virtual address
space of another process, it's way simpler to map a DLL instead. For
this reason I'd recommend to list DLLs mapped by winlogin (as already
was suggested) and compare the output with another machine. A.

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>