RE: Probable Trojan.
From: Thompson, Jimi (JimiT_at_mail.cox.smu.edu)
Date: 10/28/03
- Previous message: Jay Castaldo: "Re: New Trojan"
- Maybe in reply to: Gene: "Probable Trojan."
- Next in thread: Brian Eckman: "Re: Probable Trojan."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Gene'" <flyersfanindc@yahoo.com>, incidents@securityfocus.com Date: Tue, 28 Oct 2003 09:56:57 -0600
Which version of Windows are we talking about? That can make a big
difference in the processes that should be running.
Thanks,
Jimi
-----Original Message-----
From: Gene [mailto:flyersfanindc@yahoo.com]
Sent: Monday, October 27, 2003 1:50 PM
To: incidents@securityfocus.com
Subject: Probable Trojan.
Have a buddy complaining about his AOL account password being stolen every
time he logs onto AOL from his PC at work. I talked him through doing an
fport on his box and he sent me the results:
Pid Process Port Proto Path
8 System -> 1097 TCP
8 System -> 139 TCP
8 System -> 445 TCP
1916 aolwbspd -> 11523 TCP C:\Program Files\America Online
9.0\aolwbsp
d.exe
676 OUTLOOK -> 1125 TCP C:\Program Files\Microsoft
Office\Office10\
OUTLOOK.EXE
676 OUTLOOK -> 1129 TCP C:\Program Files\Microsoft
Office\Office10\
OUTLOOK.EXE
856 MSTask -> 1051 TCP C:\WINNT\system32\MSTask.exe
988 svchost -> 1132 TCP C:\WINNT\system32\svchost.exe
988 svchost -> 1134 TCP C:\WINNT\system32\svchost.exe
988 svchost -> 1139 TCP C:\WINNT\system32\svchost.exe
452 svchost -> 135 TCP C:\WINNT\system32\svchost.exe
8 System -> 137 UDP
8 System -> 138 UDP
8 System -> 445 UDP
1820 waol -> 1849 UDP C:\Program Files\America Online
9.0\waol.ex
e
1688 IEXPLORE -> 1191 UDP C:\Program Files\Internet
Explorer\IEXPLORE
.EXE
1856 IEXPLORE -> 1784 UDP C:\Program Files\Internet
Explorer\IEXPLORE
.EXE
676 OUTLOOK -> 1126 UDP C:\Program Files\Microsoft
Office\Office10\
OUTLOOK.EXE
676 OUTLOOK -> 1127 UDP C:\Program Files\Microsoft
Office\Office10\
OUTLOOK.EXE
676 OUTLOOK -> 1182 UDP C:\Program Files\Microsoft
Office\Office10\
OUTLOOK.EXE
800 rtvscan -> 2967 UDP C:\Program Files\NavNT\rtvscan.exe
268 lsass -> 500 UDP C:\WINNT\system32\lsass.exe
228 winlogon -> 1053 UDP \??\C:\WINNT\system32\winlogon.exe
I'm really concerned with the last one:
228 winlogon -> 1053 UDP \??\C:\WINNT\system32\winlogon.exe
I've found some things on the net that say it's legit, I've found others
that say it's indicative of a backdoor. I ran fport on my box and did not
have any entries like that. Does anyone have any information on this? Are
there other entries that attract anyone else's attention?
Your help is appreciated.
---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------
---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------
- Previous message: Jay Castaldo: "Re: New Trojan"
- Maybe in reply to: Gene: "Probable Trojan."
- Next in thread: Brian Eckman: "Re: Probable Trojan."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
