RE: IIS 4 inetinfo and system process port usage

From: Andrew Kunz (kunzaat_private)
Date: Mon Jun 25 2001 - 11:21:54 PDT

  • Next message: Ryan Russell: "W32 leaves.worm?"

    killing the process is probably not such a nice thing to do. Inetinfo is
    multiple services and perhaps your leaving a stray thread hanging onto the
    port in question.  try shutting down the ftp service
    
    net stop msftpsvc
    
    or shutdown iis alltogether
    
    net stop iisadmin /y
    
    Andrew
    
    
    
    
    -----Original Message-----
    From: James.A.Tuckerat_private [mailto:James.A.Tuckerat_private]
    Sent: Monday, June 25, 2001 9:32 AM
    To: incidentsat_private
    Subject: IIS 4 inetinfo and system process port usage
    
    
    I tried posting this to the Security Basics group but it was rejected by the
    moderator.  Hopefully, this group will accept it.  If not, please advise
    which group I can post this topic to as I would like to here other's
    opinions.
    
    Thanks
    
    <original message>
    I'm seeing an odd behavior with an IIS 4 server.  Prior to killing the
    inetinfo process, my fport scan shows two processes traced to ports 21,25,
    and 80; the inetinfo process and system process.  This appears to be normal
    based on other fport scans I've done.  What's odd is if I kill the inetinfo
    process on this one IIS 4 server and run a fport scan, the system process is
    still listed as listening on ports 21,25, and 80.  If I attempt to restart
    the web service and start up a virtual server in Internet Service Manager I
    get a "Winsock error" that the port is already in use.  I was able to
    connect to port 80 via NetCat, but it did not return the IIS 4 banner like
    usual.
    
    I've checked for common back door trojans, NetBus, Back Orifice, SubSeven,
    but found nothing.
    
    Has anyone else seen this type of behavior?  Could this be a rootkit running
    in the system process which waits to take over the inetinfo ports whenever
    it goes down?  Or is this just a problem of the NT OS not releasing the
    ports properly?
    
    Stumped.
    </end original message>
    -------
    James A. Tucker
    Senior Analyst
    Lowe's Companies, Inc.
    Email:  james.a.tuckerat_private
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jun 26 2001 - 10:06:46 PDT