I tried posting this to the Security Basics group but it was rejected by the moderator. Hopefully, this group will accept it. If not, please advise which group I can post this topic to as I would like to here other's opinions. Thanks <original message> I'm seeing an odd behavior with an IIS 4 server. Prior to killing the inetinfo process, my fport scan shows two processes traced to ports 21,25, and 80; the inetinfo process and system process. This appears to be normal based on other fport scans I've done. What's odd is if I kill the inetinfo process on this one IIS 4 server and run a fport scan, the system process is still listed as listening on ports 21,25, and 80. If I attempt to restart the web service and start up a virtual server in Internet Service Manager I get a "Winsock error" that the port is already in use. I was able to connect to port 80 via NetCat, but it did not return the IIS 4 banner like usual. I've checked for common back door trojans, NetBus, Back Orifice, SubSeven, but found nothing. Has anyone else seen this type of behavior? Could this be a rootkit running in the system process which waits to take over the inetinfo ports whenever it goes down? Or is this just a problem of the NT OS not releasing the ports properly? Stumped. </end original message> ------- James A. Tucker Senior Analyst Lowe's Companies, Inc. Email: james.a.tuckerat_private
This archive was generated by hypermail 2b30 : Mon Jun 25 2001 - 10:59:24 PDT