[unisog] Port 109 Mystery

Andy Polyakov appro at fy.chalmers.se
Thu Mar 13 09:01:27 GMT 2003

> Got a server with port 109 open, requesting a password.  Pop-2 is not
> running, various trojan and av cleaning tools have been run, various
> registry keys have been checked manually.  Fport reports a PID of 220 -
> running PSKill on that PID results in a reboot.

If you kill legitimate [console] winlogon the system does reboot...

> Fport seems to be
> unsure of the path to the *.exe.  The winlogon.exe has been replaced
> with a known good copy.

I assume this means that even after winlogon.exe was "restored," it's
still found listening at port 109...

> FPort v1.33 - TCP/IP Process to Port Mapper
> Copyright 2000 by Foundstone, Inc.
> http://www.foundstone.com
> Pid   Process            Port  Proto Path
> 220   winlogon       ->  109   TCP   \??\C:\WINNT\system32\winlogon.exe

What might be going on is following. A malicious program runs upon
start-up, but instead of keeping running in background, it injects a
thread into winlogon.exe and terminates. Even though it's perfectly
possible to inject sheer machine code directly into virtual address
space of another process, it's way simpler to map a DLL instead. For
this reason I'd recommend to list DLLs mapped by winlogin (as already
was suggested) and compare the output with another machine. A.

More information about the unisog mailing list