cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Hayton
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 6
‎12-26-2015 12:03 PM

Chrome processes show ports as "ingreslock" and "pptp" : any ideas?

I have Tcpview running from startup, and today I noticed something I've not seen before.

Tcpview showed the local ports being used for two Chrome processes not as numbers but as "ingreslock" and "pptp". I should have taken a screenshot, because after a couple of minutes - while I was busy Googling to find out what these new things were - the processes ended and vanished from the list.

1.  "ingreslock" is usually associated with Port 1524. Note, I do not have an Ingres database.


Ingreslock is used legitimately to lock parts of an Ingres database. However, there are known trojans that also use port 1524 as a backdoor into a system. 






https://www.acunetix.com/vulnerabilities/network/vulnerability/possible-backdoor-ingreslock/








Possible Backdoor: Ingreslock



A backdoor is installed on the remote host Attackers can exploit this issue to execute arbitrary commands in the context of the application. Successful attacks will compromise the affected system.





Now, that shouldn't be a problem. McAfee remained silent, my firewall is set to Stealth, and I have disabled most ports in the  firewall. So 1524 should have been blocked - but Chrome was using it. So, has someone put a backdoor onto my system using Chrome or a Chrome extension to do it?

2. "pptp" is "Point-to-Point Tunnelling Protocol", which may be used when setting up a VPN. I don't use a VPN, and I don't know why Chrome would be trying to establish a pptp connection, in or out. It's an old protocol and not secure, another reason why Chrome should not be using it. Wikipedia explains what's involved - Point-to-Point Tunneling Protocol - Wikipedia, the free encyclopedia


This is unusual behaviour from Chrome, so I intend to ask on both the Chrome and Sysinternals forums if anyone has seen this before.

In the meantime, does anyone here have any idea what was going on?

0 Kudos
Reply
5 Replies
catdaddy
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 6
‎12-26-2015 02:29 PM

Re: Chrome processes show ports as "ingreslock" and "pptp" : any ideas?

Have you seen a file called ( /tmp/bob is used as the configuration file for the inetd process the exploit starts, which usually puts a bindshell on ingreslock (port 1524).? The ingreslock port (1524/TCP) is often used as a backdoor by programs which exploit vulnerable RPC (Remote Procedure Call) services. The backdoor is usually accompanied by a file called /tmp/bob which is the configuration file which opens a shell on the port.

This may be a subject you could bring up to Vinoo/or David from McAfee Labs?

I am uncertain if they would need a Hash..etc.

Cliff
McAfee Volunteer
0 Kudos
Reply
Hayton
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 6
‎12-26-2015 05:24 PM

Re: Chrome processes show ports as "ingreslock" and "pptp" : any ideas?

Yes, I saw the same article that mentions /tmp/bob.

I checked for any file with "bob" in its name and there's nothing, as expected. The forward-slash and use of "tmp" indicates that that files is to be found on Linux rather than windows.

I'm wondering if this is a glitch with TcpView substituting a name for a port number, although I've never seen those names in the list before. Better safe than sorry : I'll wait for a response from someone on TechNet who knows. Maybe I'll even get noticed by Mark Russinovitch.

0 Kudos
Reply
exbrit
MVP
Report Inappropriate Content
Message 4 of 6
‎12-27-2015 03:55 AM

Re: Chrome processes show ports as "ingreslock" and "pptp" : any ideas?

In the meanwhile it wouldn't do any harm to run MBAM free.

Anti-Spyware/Malware/Hijacker Tools

0 Kudos
Reply
Hayton
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 6
‎12-27-2015 06:27 AM

Re: Chrome processes show ports as "ingreslock" and "pptp" : any ideas?

Time for a scan anyway, but close observation of today's Chrome activity indicates this may be Tcpview mislabelling ports opened randomly by Chrome as part of the browser's normal operations. Knowing the port numbers that map to those descriptions is helpful; the latest example of a name instead of a number is "ms-sql-m".

0 Kudos
Reply
exbrit
MVP
Report Inappropriate Content
Message 6 of 6
‎12-27-2015 06:33 AM

Re: Chrome processes show ports as "ingreslock" and "pptp" : any ideas?

That's always been a bit of a mystery to me I'm afraid.  Good luck 😉

0 Kudos
Reply

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC