Port 109 Mystery

Harlan Carvey keydet89 at yahoo.com
Wed Mar 12 21:10:06 GMT 2003


> Got a server 

>From your netstat output, I'd assume it's Win2K or
XP...so, did you happen to check the Registry keys for
WFP, specifically to see if it's been disabled, or
what the path to the cache is?

> with port 109 open, requesting a
> password.  Pop-2 is not 
> running, various trojan and av cleaning tools have
> been run, various 
> registry keys have been checked manually.

Which keys, specifically?

> Fport reports a PID of 220 - 
> running PSKill on that PID results in a reboot. 
> Fport seems to be 
> unsure of the path to the *.exe.  

>From the output you provided, it's not clear what you
mean by that...fport seems to be pretty clear on the

> The winlogon.exe has been replaced 
> with a known good copy.  Various tests included
> below.  Has anyone else 
> seen anything along these lines or have any advice
> to offer?

Yeah, quite a bit actually...

1.  Did you try running listdlls and handle.exe
against the process in question in order to collect
command line and user context info?

2.  Did you run pmdump.exe from NTSecurity.nu against
the process to save the contents of memory to a file,
so that you can then parse that file w/ tools like

3.  You said you replaced the .exe file w/ a known
good copy...did you happen to collect the MAC times on
the file, and keep a copy of the executable image that
was running?

4.  You seem to be running SQL, as well...have you
checked the logs for any accesses to stored

If you didn't do any of these things, quite honestly,
there's no point posting to public lists.  If you
didn't even save a copy of the exe file, there's no
way (other than Google searches) to try and determine
what the file was.  W/o that and a root cause
analysis, you may very well be wide open to further

Do you Yahoo!?
Yahoo! Web Hosting - establish your business online

More information about the unisog mailing list