[unisog] Port 109 Mystery
appro at fy.chalmers.se
Thu Mar 13 09:01:27 GMT 2003
> Got a server with port 109 open, requesting a password. Pop-2 is not
> running, various trojan and av cleaning tools have been run, various
> registry keys have been checked manually. Fport reports a PID of 220 -
> running PSKill on that PID results in a reboot.
If you kill legitimate [console] winlogon the system does reboot...
> Fport seems to be
> unsure of the path to the *.exe. The winlogon.exe has been replaced
> with a known good copy.
I assume this means that even after winlogon.exe was "restored," it's
still found listening at port 109...
> FPort v1.33 - TCP/IP Process to Port Mapper
> Copyright 2000 by Foundstone, Inc.
> Pid Process Port Proto Path
> 220 winlogon -> 109 TCP \??\C:\WINNT\system32\winlogon.exe
What might be going on is following. A malicious program runs upon
start-up, but instead of keeping running in background, it injects a
thread into winlogon.exe and terminates. Even though it's perfectly
possible to inject sheer machine code directly into virtual address
space of another process, it's way simpler to map a DLL instead. For
this reason I'd recommend to list DLLs mapped by winlogin (as already
was suggested) and compare the output with another machine. A.
More information about the unisog