Security Incidents mailing list archives

Re: Port 109 Mystery

From: Loki <loki () fatelabs com>
Date: 11 Mar 2003 16:52:23 -0500

Doug,

This may have been something you tried, but looking at that path, it
looks like fport doesnt know how to interpret the initial dir name. Is
it an ascii char space ALT-255, etc? Alt-255 directories will not show
up at all in windows. It looks like someone either copied winlogin.exe
to another dir and bound it to port 109, or its not winlogin at all, and
rather, a trojan thats been renamed to winlogin to fool the admin. I
responded to a machine once where an ircbot and servu were renamed to
look like printspool and spsvc.exe 

Here are things to try:

1. Run a netstat -an and see if there are any connections in/out of that
port. 

2. Put a sniffer on that segment and tcpdump any port 109 traffic.

3. locate that file and run a $ strings <file> on it and check out the
goods.



Just my 2 cents.
Eric




On Wed, 2003-03-12 at 11:54, Douglas Brown wrote:

Got a server with port 109 open, requesting a password.  Pop-2 is not 
running, various trojan and av cleaning tools have been run, various 
registry keys have been checked manually.  Fport reports a PID of 220 - 
running PSKill on that PID results in a reboot.  Fport seems to be 
unsure of the path to the *.exe.  The winlogon.exe has been replaced 
with a known good copy.  Various tests included below.  Has anyone else 
seen anything along these lines or have any advice to offer?

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on (*.*.*.*):
(The 65522 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp
80/tcp     open        http
109/tcp    open        pop-2
135/tcp    open        loc-srv
139/tcp    open        netbios-ssn
443/tcp    open        https
445/tcp    open        microsoft-ds
1040/tcp   open        unknown
1051/tcp   open        unknown
1052/tcp   open        unknown
1433/tcp   open        ms-sql-s
3306/tcp   open        mysql
3389/tcp   open        ms-term-serv
Remote operating system guess: Windows 2000/XP/ME

# nc *.*.*.* 109
Password:

FPort v1.33 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com
Pid   Process            Port  Proto Path
220   winlogon       ->  109   TCP   \??\C:\WINNT\system32\winlogon.exe

thanks,
-Doug

-- 
Loki <loki () fatelabs com>


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>

Current thread:

Port 109 Mystery Douglas Brown (Mar 12)
- Re: Port 109 Mystery Loki (Mar 12)
- RE: Port 109 Mystery James C Slora Jr (Mar 13)
- Re: [unisog] Port 109 Mystery Andy Polyakov (Mar 13)
- <Possible follow-ups>
- Re: Port 109 Mystery Douglas Brown (Mar 13)