Port 109 Mystery

Douglas Brown dugbrown at email.unc.edu
Wed Mar 12 16:54:30 GMT 2003

Got a server with port 109 open, requesting a password.  Pop-2 is not 
running, various trojan and av cleaning tools have been run, various 
registry keys have been checked manually.  Fport reports a PID of 220 - 
running PSKill on that PID results in a reboot.  Fport seems to be 
unsure of the path to the *.exe.  The winlogon.exe has been replaced 
with a known good copy.  Various tests included below.  Has anyone else 
seen anything along these lines or have any advice to offer?

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on (*.*.*.*):
(The 65522 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp
80/tcp     open        http
109/tcp    open        pop-2
135/tcp    open        loc-srv
139/tcp    open        netbios-ssn
443/tcp    open        https
445/tcp    open        microsoft-ds
1040/tcp   open        unknown
1051/tcp   open        unknown
1052/tcp   open        unknown
1433/tcp   open        ms-sql-s
3306/tcp   open        mysql
3389/tcp   open        ms-term-serv
Remote operating system guess: Windows 2000/XP/ME

# nc *.*.*.* 109

FPort v1.33 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
Pid   Process            Port  Proto Path
220   winlogon       ->  109   TCP   \??\C:\WINNT\system32\winlogon.exe

Douglas Brown, CISSP
Manager of Security Resources
UNC Chapel Hill
Abernethy 105
"what can Brown do for you?"

More information about the unisog mailing list