5 Replies Latest reply on Dec 27, 2015 8:33 AM by Peter M

    Chrome processes show ports as "ingreslock" and "pptp" : any ideas?

    Hayton

      I have Tcpview running from startup, and today I noticed something I've not seen before.

       

      Tcpview showed the local ports being used for two Chrome processes not as numbers but as "ingreslock" and "pptp". I should have taken a screenshot, because after a couple of minutes - while I was busy Googling to find out what these new things were - the processes ended and vanished from the list.

       

      1.  "ingreslock" is usually associated with Port 1524. Note, I do not have an Ingres database.

      Ingreslock is used legitimately to lock parts of an Ingres database. However, there are known trojans that also use port 1524 as a backdoor into a system.

       

      https://www.acunetix.com/vulnerabilities/network/vulnerability/possible-backdoor -ingreslock/


      Possible Backdoor: Ingreslock

      A backdoor is installed on the remote host Attackers can exploit this issue to execute arbitrary commands in the context of the application. Successful attacks will compromise the affected system.

       

       

      Now, that shouldn't be a problem. McAfee remained silent, my firewall is set to Stealth, and I have disabled most ports in the  firewall. So 1524 should have been blocked - but Chrome was using it. So, has someone put a backdoor onto my system using Chrome or a Chrome extension to do it?

       

      2. "pptp" is "Point-to-Point Tunnelling Protocol", which may be used when setting up a VPN. I don't use a VPN, and I don't know why Chrome would be trying to establish a pptp connection, in or out. It's an old protocol and not secure, another reason why Chrome should not be using it. Wikipedia explains what's involved - Point-to-Point Tunneling Protocol - Wikipedia, the free encyclopedia


      This is unusual behaviour from Chrome, so I intend to ask on both the Chrome and Sysinternals forums if anyone has seen this before.

       

      In the meantime, does anyone here have any idea what was going on?