RE: IIS 4 inetinfo and system process port usage

From: Andrew Kunz (kunzaat_private)
Date: Mon Jun 25 2001 - 11:21:54 PDT

Next message: Ryan Russell: "W32 leaves.worm?"

Previous message: Jason R. Seats: "strange packets"
In reply to: James.A.Tuckerat_private: "IIS 4 inetinfo and system process port usage"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

killing the process is probably not such a nice thing to do. Inetinfo is
multiple services and perhaps your leaving a stray thread hanging onto the
port in question.  try shutting down the ftp service

net stop msftpsvc

or shutdown iis alltogether

net stop iisadmin /y

Andrew




-----Original Message-----
From: James.A.Tuckerat_private [mailto:James.A.Tuckerat_private]
Sent: Monday, June 25, 2001 9:32 AM
To: incidentsat_private
Subject: IIS 4 inetinfo and system process port usage


I tried posting this to the Security Basics group but it was rejected by the
moderator.  Hopefully, this group will accept it.  If not, please advise
which group I can post this topic to as I would like to here other's
opinions.

Thanks

<original message>
I'm seeing an odd behavior with an IIS 4 server.  Prior to killing the
inetinfo process, my fport scan shows two processes traced to ports 21,25,
and 80; the inetinfo process and system process.  This appears to be normal
based on other fport scans I've done.  What's odd is if I kill the inetinfo
process on this one IIS 4 server and run a fport scan, the system process is
still listed as listening on ports 21,25, and 80.  If I attempt to restart
the web service and start up a virtual server in Internet Service Manager I
get a "Winsock error" that the port is already in use.  I was able to
connect to port 80 via NetCat, but it did not return the IIS 4 banner like
usual.

I've checked for common back door trojans, NetBus, Back Orifice, SubSeven,
but found nothing.

Has anyone else seen this type of behavior?  Could this be a rootkit running
in the system process which waits to take over the inetinfo ports whenever
it goes down?  Or is this just a problem of the NT OS not releasing the
ports properly?

Stumped.
</end original message>
-------
James A. Tucker
Senior Analyst
Lowe's Companies, Inc.
Email:  james.a.tuckerat_private


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Next message: Ryan Russell: "W32 leaves.worm?"
Previous message: Jason R. Seats: "strange packets"
In reply to: James.A.Tuckerat_private: "IIS 4 inetinfo and system process port usage"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 26 2001 - 10:06:46 PDT