Re: Port 109 Mystery

From: Loki (lokiat_private)
Date: Tue Mar 11 2003 - 13:52:23 PST

Next message: Craig Searle: "RE: Defaced website listing..."

Previous message: Hay, Duane: "Defaced website listing..."
In reply to: Douglas Brown: "Port 109 Mystery"
Next in thread: James C Slora Jr: "RE: Port 109 Mystery"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Doug,

This may have been something you tried, but looking at that path, it
looks like fport doesnt know how to interpret the initial dir name. Is
it an ascii char space ALT-255, etc? Alt-255 directories will not show
up at all in windows. It looks like someone either copied winlogin.exe
to another dir and bound it to port 109, or its not winlogin at all, and
rather, a trojan thats been renamed to winlogin to fool the admin. I
responded to a machine once where an ircbot and servu were renamed to
look like printspool and spsvc.exe 

Here are things to try:

1. Run a netstat -an and see if there are any connections in/out of that
port. 

2. Put a sniffer on that segment and tcpdump any port 109 traffic.

3. locate that file and run a $ strings <file> on it and check out the
goods.

Just my 2 cents.
Eric

On Wed, 2003-03-12 at 11:54, Douglas Brown wrote:
> Got a server with port 109 open, requesting a password.  Pop-2 is not 
> running, various trojan and av cleaning tools have been run, various 
> registry keys have been checked manually.  Fport reports a PID of 220 - 
> running PSKill on that PID results in a reboot.  Fport seems to be 
> unsure of the path to the *.exe.  The winlogon.exe has been replaced 
> with a known good copy.  Various tests included below.  Has anyone else 
> seen anything along these lines or have any advice to offer?
> 
> Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
> Interesting ports on (*.*.*.*):
> (The 65522 ports scanned but not shown below are in state: closed)
> Port       State       Service
> 21/tcp     open        ftp
> 80/tcp     open        http
> 109/tcp    open        pop-2
> 135/tcp    open        loc-srv
> 139/tcp    open        netbios-ssn
> 443/tcp    open        https
> 445/tcp    open        microsoft-ds
> 1040/tcp   open        unknown
> 1051/tcp   open        unknown
> 1052/tcp   open        unknown
> 1433/tcp   open        ms-sql-s
> 3306/tcp   open        mysql
> 3389/tcp   open        ms-term-serv
> Remote operating system guess: Windows 2000/XP/ME
> 
> # nc *.*.*.* 109
> Password:
> 
> FPort v1.33 - TCP/IP Process to Port Mapper
> Copyright 2000 by Foundstone, Inc.
> http://www.foundstone.com
> Pid   Process            Port  Proto Path
> 220   winlogon       ->  109   TCP   \??\C:\WINNT\system32\winlogon.exe
> 
> thanks,
> -Doug
-- 
Loki <lokiat_private>

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: Craig Searle: "RE: Defaced website listing..."
Previous message: Hay, Duane: "Defaced website listing..."
In reply to: Douglas Brown: "Port 109 Mystery"
Next in thread: James C Slora Jr: "RE: Port 109 Mystery"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Mar 12 2003 - 14:34:53 PST