Security Incidents mailing list archives
Re: [unisog] Port 109 Mystery
From: Andy Polyakov <appro () fy chalmers se>
Date: Thu, 13 Mar 2003 10:01:27 +0100
Got a server with port 109 open, requesting a password. Pop-2 is not running, various trojan and av cleaning tools have been run, various registry keys have been checked manually. Fport reports a PID of 220 - running PSKill on that PID results in a reboot.
If you kill legitimate [console] winlogon the system does reboot...
Fport seems to be unsure of the path to the *.exe. The winlogon.exe has been replaced with a known good copy.
I assume this means that even after winlogon.exe was "restored," it's still found listening at port 109...
FPort v1.33 - TCP/IP Process to Port Mapper Copyright 2000 by Foundstone, Inc. http://www.foundstone.com Pid Process Port Proto Path 220 winlogon -> 109 TCP \??\C:\WINNT\system32\winlogon.exe
What might be going on is following. A malicious program runs upon start-up, but instead of keeping running in background, it injects a thread into winlogon.exe and terminates. Even though it's perfectly possible to inject sheer machine code directly into virtual address space of another process, it's way simpler to map a DLL instead. For this reason I'd recommend to list DLLs mapped by winlogin (as already was suggested) and compare the output with another machine. A. ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
Current thread:
- Port 109 Mystery Douglas Brown (Mar 12)
- Re: Port 109 Mystery Loki (Mar 12)
- RE: Port 109 Mystery James C Slora Jr (Mar 13)
- Re: [unisog] Port 109 Mystery Andy Polyakov (Mar 13)
- <Possible follow-ups>
- Re: Port 109 Mystery Douglas Brown (Mar 13)