[Dshield] More on "possible trojaned wlogin.exe?"

Thompson, John J ThompsonJJ at mail.medicine.uiowa.edu
Tue Jul 31 19:17:35 GMT 2001


First of all, my apologies-- it was wlogin.exe, not wlogon.exe.I wanted to
pass more info onto you in case it rang a bell.

I re-started the server, hoping that the wlogin process would be released.
It wasn't. Additionally, a netstat immediately after re-boot showed the
following two connections:

Tcp (http) from 128.255.116.151 <my server> to
cr002.digital-integrity.com:1385  LAST_ACK
Tcp 1033   from 128.255.116.151 to httpd.icechannel.com:6667 CLOSE_WAIT

A few minutes later, the port from the connecting system changed from 1385
to 3473.

Thanks,
John

------------------------------------
John Thompson
Network Administrator
Dept. of Biochemistry
University of Iowa




More information about the list mailing list