[Dshield] More on "possible trojaned wlogin.exe?"
mark.rowlands at minmail.net
Wed Aug 1 17:28:56 GMT 2001
On Tuesday 31 July 2001 21:17, you wrote:
> First of all, my apologies-- it was wlogin.exe, not wlogon.exe.I wanted to
> pass more info onto you in case it rang a bell.
> I re-started the server, hoping that the wlogin process would be released.
> It wasn't. Additionally, a netstat immediately after re-boot showed the
> following two connections:
> Tcp (http) from 126.96.36.199 <my server> to
> cr002.digital-integrity.com:1385 LAST_ACK
> Tcp 1033 from 188.8.131.52 to httpd.icechannel.com:6667 CLOSE_WAIT
> A few minutes later, the port from the connecting system changed from 1385
> to 3473.
peculiar, wlogin.exe at least the only one I know about, is a netware
file....what is this doing on your server?, icechannel are an advertising
company in the carribbean, 6667 is commonly used for irc. I would thinking
about putting a sniffer on the box and monitoring the traffic, getting rid of
wlogin.exe (et least temporarily!) You might want to run inzider
(ntsecurity.nu) or fport www.foundstone.com-- this is an NT /2000 box we
talking about? both of these apps attempt to see what applications are
opengin which ports and you can see if it is wlogin.exe opening connections
More information about the list