[Dshield] More on "possible trojaned wlogin.exe?"

Mark Rowlands mark.rowlands at minmail.net
Wed Aug 1 17:28:56 GMT 2001


On Tuesday 31 July 2001 21:17, you wrote:
> First of all, my apologies-- it was wlogin.exe, not wlogon.exe.I wanted to
> pass more info onto you in case it rang a bell.
>
> I re-started the server, hoping that the wlogin process would be released.
> It wasn't. Additionally, a netstat immediately after re-boot showed the
> following two connections:
>
> Tcp (http) from 128.255.116.151 <my server> to
> cr002.digital-integrity.com:1385  LAST_ACK
> Tcp 1033   from 128.255.116.151 to httpd.icechannel.com:6667 CLOSE_WAIT
>
> A few minutes later, the port from the connecting system changed from 1385
> to 3473.
>
> Thanks,
> John
>
peculiar, wlogin.exe  at least the only one I know about, is a netware 
file....what is this doing on your server?, icechannel are an advertising 
company in the carribbean, 6667 is commonly used for irc. I would thinking 
about putting a sniffer on the box and monitoring the traffic, getting rid of 
wlogin.exe (et least temporarily!)   You might want to run inzider 
(ntsecurity.nu) or fport  www.foundstone.com-- this is an NT /2000 box we 
talking about?  both of these apps  attempt to see what applications are 
opengin which ports and you can see if it is wlogin.exe opening connections




More information about the list mailing list