Security Incidents mailing list archives
RE: Probable Trojan.
From: "Jim Butterworth" <res0qh1m () verizon net>
Date: Wed, 29 Oct 2003 10:25:49 -0800
When you do a netstat -an from the command prompt, do you see the UDP port 1053 there, and does it say established, waiting, or ?? What IP is listed as the foreign address? Are you hooked to a broadband router using NAT? "The Thief" Trojan runs on TCP port 1053, and since this is UDP I doubt there is something there. To really dig into it, you'd need some captures from TCPDUMP. Know how to set up and run that? If you suspect something is going on, about the only way to be sure it is not a remote sort of deal is you need to sniff in/out traffic. Otherwise, a keylogger, or some other secret malware on the machine itself would be suspect. Has he used various machines, or the same one every time? There is an AOL.PWstealer trojan. Did you run av? Warmest Regards, Jim Butterworth, GCIA -----Original Message----- From: Gene [mailto:flyersfanindc () yahoo com] Sent: Monday, October 27, 2003 11:50 AM To: incidents () securityfocus com Subject: Probable Trojan. Have a buddy complaining about his AOL account password being stolen every time he logs onto AOL from his PC at work. I talked him through doing an fport on his box and he sent me the results: Pid Process Port Proto Path 8 System -> 1097 TCP 8 System -> 139 TCP 8 System -> 445 TCP 1916 aolwbspd -> 11523 TCP C:\Program Files\America Online 9.0\aolwbsp d.exe 676 OUTLOOK -> 1125 TCP C:\Program Files\Microsoft Office\Office10\ OUTLOOK.EXE 676 OUTLOOK -> 1129 TCP C:\Program Files\Microsoft Office\Office10\ OUTLOOK.EXE 856 MSTask -> 1051 TCP C:\WINNT\system32\MSTask.exe 988 svchost -> 1132 TCP C:\WINNT\system32\svchost.exe 988 svchost -> 1134 TCP C:\WINNT\system32\svchost.exe 988 svchost -> 1139 TCP C:\WINNT\system32\svchost.exe 452 svchost -> 135 TCP C:\WINNT\system32\svchost.exe 8 System -> 137 UDP 8 System -> 138 UDP 8 System -> 445 UDP 1820 waol -> 1849 UDP C:\Program Files\America Online 9.0\waol.ex e 1688 IEXPLORE -> 1191 UDP C:\Program Files\Internet Explorer\IEXPLORE .EXE 1856 IEXPLORE -> 1784 UDP C:\Program Files\Internet Explorer\IEXPLORE .EXE 676 OUTLOOK -> 1126 UDP C:\Program Files\Microsoft Office\Office10\ OUTLOOK.EXE 676 OUTLOOK -> 1127 UDP C:\Program Files\Microsoft Office\Office10\ OUTLOOK.EXE 676 OUTLOOK -> 1182 UDP C:\Program Files\Microsoft Office\Office10\ OUTLOOK.EXE 800 rtvscan -> 2967 UDP C:\Program Files\NavNT\rtvscan.exe 268 lsass -> 500 UDP C:\WINNT\system32\lsass.exe 228 winlogon -> 1053 UDP \??\C:\WINNT\system32\winlogon.exe I'm really concerned with the last one: 228 winlogon -> 1053 UDP \??\C:\WINNT\system32\winlogon.exe I've found some things on the net that say it's legit, I've found others that say it's indicative of a backdoor. I ran fport on my box and did not have any entries like that. Does anyone have any information on this? Are there other entries that attract anyone else's attention? Your help is appreciated. ------------------------------------------------------------------------ --- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_incidents_031023 and use priority code SF4. ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_incidents_031023 and use priority code SF4. ----------------------------------------------------------------------------
Current thread:
- Probable Trojan. Gene (Oct 28)
- Re: Probable Trojan. Brian Eckman (Oct 28)
- Re: Probable Trojan. Harlan Carvey (Oct 28)
- RE: Probable Trojan. Mark E. Donaldson (Oct 28)
- RE: Probable Trojan. Jim Butterworth (Oct 29)
- <Possible follow-ups>
- RE: Probable Trojan. Thompson, Jimi (Oct 28)
- Re: Probable Trojan. debrasuz (Oct 28)
- Re: Probable Trojan. Brian Eckman (Oct 28)