Re: Probable Trojan.

debrasuz_at_ctmail.ummu.umich.edu
Date: 10/28/03

  • Next message: Damian Gerow: "Re: New Trojan" 
    To: Gene <flyersfanindc@yahoo.com>
Date: Tue, 28 Oct 2003 11:08:55 -0500

    I can't say for sure, but I think the logon is because the machine is an
    Active Directory member, therefore, the ?? etc. I have seen this on our AD
    members, whereas the standalone machines don't show this entry.
    _______________________________
    Debra S. Haslam - debrasuz@umich.edu
    University of Michigan
    ITCS - WATS
    Office: 734-647-8264
    Cell: 734/516-0650
    Pager: 734/670-1820

                                                                                                               
                          Gene
                          <flyersfanindc@ya To: incidents@securityfocus.com
                          hoo.com> cc:
                                                   Subject: Probable Trojan.
                          10/27/2003 02:49
                          PM
                                                                                                               
                                                                                                               

    Have a buddy complaining about his AOL account password being stolen every
    time he logs onto AOL from his PC at work. I talked him through doing an
    fport on his box and he sent me the results:

    Pid Process Port Proto Path
    8 System -> 1097 TCP
    8 System -> 139 TCP
    8 System -> 445 TCP
    1916 aolwbspd -> 11523 TCP C:\Program Files\America Online
    9.0\aolwbsp
    d.exe
    676 OUTLOOK -> 1125 TCP C:\Program Files\Microsoft
    Office\Office10\
    OUTLOOK.EXE
    676 OUTLOOK -> 1129 TCP C:\Program Files\Microsoft
    Office\Office10\
    OUTLOOK.EXE
    856 MSTask -> 1051 TCP C:\WINNT\system32\MSTask.exe
    988 svchost -> 1132 TCP C:\WINNT\system32\svchost.exe
    988 svchost -> 1134 TCP C:\WINNT\system32\svchost.exe
    988 svchost -> 1139 TCP C:\WINNT\system32\svchost.exe
    452 svchost -> 135 TCP C:\WINNT\system32\svchost.exe

    8 System -> 137 UDP
    8 System -> 138 UDP
    8 System -> 445 UDP
    1820 waol -> 1849 UDP C:\Program Files\America Online
    9.0\waol.ex
    e
    1688 IEXPLORE -> 1191 UDP C:\Program Files\Internet
    Explorer\IEXPLORE
    .EXE
    1856 IEXPLORE -> 1784 UDP C:\Program Files\Internet
    Explorer\IEXPLORE
    .EXE
    676 OUTLOOK -> 1126 UDP C:\Program Files\Microsoft
    Office\Office10\
    OUTLOOK.EXE
    676 OUTLOOK -> 1127 UDP C:\Program Files\Microsoft
    Office\Office10\
    OUTLOOK.EXE
    676 OUTLOOK -> 1182 UDP C:\Program Files\Microsoft
    Office\Office10\
    OUTLOOK.EXE
    800 rtvscan -> 2967 UDP C:\Program Files\NavNT\rtvscan.exe
    268 lsass -> 500 UDP C:\WINNT\system32\lsass.exe
    228 winlogon -> 1053 UDP \??\C:\WINNT\system32\winlogon.exe

    I'm really concerned with the last one:

    228 winlogon -> 1053 UDP \??\C:\WINNT\system32\winlogon.exe

    I've found some things on the net that say it's legit, I've found others
    that say it's indicative of a backdoor. I ran fport on my box and did not
    have any entries like that. Does anyone have any information on this? Are
    there other entries that attract anyone else's attention?

    Your help is appreciated.

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_incidents_031023
    and use priority code SF4.
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_incidents_031023
    and use priority code SF4.
    ----------------------------------------------------------------------------

  • Next message: Damian Gerow: "Re: New Trojan"

    Relevant Pages

    • RE: Probable Trojan.
      ... Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ... see demos from more than 250 industry vendors. ... If your job touches ...
      (Incidents)
    • RE: CEH and Intense School
      ... Q-How many times has this course been delivered ... You want more than 4 to know the bugs are ironed out in labs and so on. ... Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ...
      (Pen-Test)
    • RE: New Trojan
      ... and discovered that there is an option to scan ADS, ... Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ...
      (Incidents)
    • RE: Probable Trojan.
      ... Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ... Don't miss RSA Conference 2004! ... Choose from over 200 class sessions and ...
      (Incidents)
    • Re: strange ftp site
      ... >Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ... Learn more or register at ... >and use priority code SF4. ...
      (Incidents)