killing the process is probably not such a nice thing to do. Inetinfo is multiple services and perhaps your leaving a stray thread hanging onto the port in question. try shutting down the ftp service net stop msftpsvc or shutdown iis alltogether net stop iisadmin /y Andrew -----Original Message----- From: James.A.Tuckerat_private [mailto:James.A.Tuckerat_private] Sent: Monday, June 25, 2001 9:32 AM To: incidentsat_private Subject: IIS 4 inetinfo and system process port usage I tried posting this to the Security Basics group but it was rejected by the moderator. Hopefully, this group will accept it. If not, please advise which group I can post this topic to as I would like to here other's opinions. Thanks <original message> I'm seeing an odd behavior with an IIS 4 server. Prior to killing the inetinfo process, my fport scan shows two processes traced to ports 21,25, and 80; the inetinfo process and system process. This appears to be normal based on other fport scans I've done. What's odd is if I kill the inetinfo process on this one IIS 4 server and run a fport scan, the system process is still listed as listening on ports 21,25, and 80. If I attempt to restart the web service and start up a virtual server in Internet Service Manager I get a "Winsock error" that the port is already in use. I was able to connect to port 80 via NetCat, but it did not return the IIS 4 banner like usual. I've checked for common back door trojans, NetBus, Back Orifice, SubSeven, but found nothing. Has anyone else seen this type of behavior? Could this be a rootkit running in the system process which waits to take over the inetinfo ports whenever it goes down? Or is this just a problem of the NT OS not releasing the ports properly? Stumped. </end original message> ------- James A. Tucker Senior Analyst Lowe's Companies, Inc. Email: james.a.tuckerat_private This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jun 26 2001 - 10:06:46 PDT