Possible trojaned wlogon.exe?

From: Thompson, John J (ThompsonJJat_private)
Date: Tue Jul 31 2001 - 11:09:22 PDT

  • Next message: Johnston, Jack: "RE: Code Red and ISS Internet Scanner"

    Ive been keeping a close eye on the webserver and I just noticed that the
    processor usage is really high. Since Ive been aware of it (about 2 hours)
    the following process has been at or around 99% utilization:
    PID 920 --- wlogin.exe
     
    I checked for connections, but there were no ftp sessions and minimal web
    traffic. No attacks flagged by blackice server, and no more than 9
    connections on average. Every now and then, a visitor will suddenly have 5-9
    simultaneous connections upen on high level ports. 
     
    I scanned the system for viruses and didn't detect any. 
     
    If you have any ideas, I would appreciate them!
     
    John
     
    ------------------------------------
    John Thompson
    Network Administrator
    Dept. of Biochemistry
    University of Iowa
     
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jul 31 2001 - 15:12:10 PDT