> Got a server with port 109 open, requesting a password. Pop-2 is not > running, various trojan and av cleaning tools have been run, various > registry keys have been checked manually. Fport reports a PID of 220 - > running PSKill on that PID results in a reboot. If you kill legitimate [console] winlogon the system does reboot... > Fport seems to be > unsure of the path to the *.exe. The winlogon.exe has been replaced > with a known good copy. I assume this means that even after winlogon.exe was "restored," it's still found listening at port 109... > FPort v1.33 - TCP/IP Process to Port Mapper > Copyright 2000 by Foundstone, Inc. > http://www.foundstone.com > Pid Process Port Proto Path > 220 winlogon -> 109 TCP \??\C:\WINNT\system32\winlogon.exe What might be going on is following. A malicious program runs upon start-up, but instead of keeping running in background, it injects a thread into winlogon.exe and terminates. Even though it's perfectly possible to inject sheer machine code directly into virtual address space of another process, it's way simpler to map a DLL instead. For this reason I'd recommend to list DLLs mapped by winlogin (as already was suggested) and compare the output with another machine. A. ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Thu Mar 13 2003 - 07:58:07 PST