IIS 4 inetinfo and system process port usage

[James.A.Tucker () Lowes Com]

I tried posting this to the Security Basics group but it was rejected by the
moderator.  Hopefully, this group will accept it.  If not, please advise
which group I can post this topic to as I would like to here other's
opinions.

Thanks

<original message>
I'm seeing an odd behavior with an IIS 4 server.  Prior to killing the
inetinfo process, my fport scan shows two processes traced to ports 21,25,
and 80; the inetinfo process and system process.  This appears to be normal
based on other fport scans I've done.  What's odd is if I kill the inetinfo
process on this one IIS 4 server and run a fport scan, the system process is
still listed as listening on ports 21,25, and 80.  If I attempt to restart
the web service and start up a virtual server in Internet Service Manager I
get a "Winsock error" that the port is already in use.  I was able to
connect to port 80 via NetCat, but it did not return the IIS 4 banner like
usual.

I've checked for common back door trojans, NetBus, Back Orifice, SubSeven,
but found nothing.

Has anyone else seen this type of behavior?  Could this be a rootkit running
in the system process which waits to take over the inetinfo ports whenever
it goes down?  Or is this just a problem of the NT OS not releasing the
ports properly?

Stumped.
</end original message>
-------
James A. Tucker
Senior Analyst
Lowe's Companies, Inc.
Email:  james.a.tucker () lowes com