Got a server with port 109 open, requesting a password. Pop-2 is not running, various trojan and av cleaning tools have been run, various registry keys have been checked manually. Fport reports a PID of 220 - running PSKill on that PID results in a reboot. Fport seems to be unsure of the path to the *.exe. The winlogon.exe has been replaced with a known good copy. Various tests included below. Has anyone else seen anything along these lines or have any advice to offer? Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on (*.*.*.*): (The 65522 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 80/tcp open http 109/tcp open pop-2 135/tcp open loc-srv 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 1040/tcp open unknown 1051/tcp open unknown 1052/tcp open unknown 1433/tcp open ms-sql-s 3306/tcp open mysql 3389/tcp open ms-term-serv Remote operating system guess: Windows 2000/XP/ME # nc *.*.*.* 109 Password: FPort v1.33 - TCP/IP Process to Port Mapper Copyright 2000 by Foundstone, Inc. http://www.foundstone.com Pid Process Port Proto Path 220 winlogon -> 109 TCP \??\C:\WINNT\system32\winlogon.exe thanks, -Doug -- Douglas Brown, CISSP Manager of Security Resources UNC Chapel Hill Abernethy 105 "what can Brown do for you?" ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Wed Mar 12 2003 - 12:48:54 PST