[Dshield] More on "possible trojaned wlogin.exe?"

Thompson, John J ThompsonJJ at mail.medicine.uiowa.edu
Tue Jul 31 19:17:35 GMT 2001

First of all, my apologies-- it was wlogin.exe, not wlogon.exe.I wanted to
pass more info onto you in case it rang a bell.

I re-started the server, hoping that the wlogin process would be released.
It wasn't. Additionally, a netstat immediately after re-boot showed the
following two connections:

Tcp (http) from <my server> to
cr002.digital-integrity.com:1385  LAST_ACK
Tcp 1033   from to httpd.icechannel.com:6667 CLOSE_WAIT

A few minutes later, the port from the connecting system changed from 1385
to 3473.


John Thompson
Network Administrator
Dept. of Biochemistry
University of Iowa

More information about the list mailing list