I have Tcpview running from startup, and today I noticed something I've not seen before.
Tcpview showed the local ports being used for two Chrome processes not as numbers but as "ingreslock" and "pptp". I should have taken a screenshot, because after a couple of minutes - while I was busy Googling to find out what these new things were - the processes ended and vanished from the list.
1. "ingreslock" is usually associated with Port 1524. Note, I do not have an Ingres database.
Ingreslock is used legitimately to lock parts of an Ingres database. However, there are known trojans that also use port 1524 as a backdoor into a system.
A backdoor is installed on the remote host Attackers can exploit this issue to execute arbitrary commands in the context of the application. Successful attacks will compromise the affected system.
Now, that shouldn't be a problem. McAfee remained silent, my firewall is set to Stealth, and I have disabled most ports in the firewall. So 1524 should have been blocked - but Chrome was using it. So, has someone put a backdoor onto my system using Chrome or a Chrome extension to do it?
2. "pptp" is "Point-to-Point Tunnelling Protocol", which may be used when setting up a VPN. I don't use a VPN, and I don't know why Chrome would be trying to establish a pptp connection, in or out. It's an old protocol and not secure, another reason why Chrome should not be using it. Wikipedia explains what's involved - Point-to-Point Tunneling Protocol - Wikipedia, the free encyclopedia
This is unusual behaviour from Chrome, so I intend to ask on both the Chrome and Sysinternals forums if anyone has seen this before.
In the meantime, does anyone here have any idea what was going on?
Have you seen a file called ( /tmp/bob is used as the configuration file for the inetd process the exploit starts, which usually puts a bindshell on ingreslock (port 1524).? The ingreslock port (1524/TCP) is often used as a backdoor by programs which exploit vulnerable RPC (Remote Procedure Call) services. The backdoor is usually accompanied by a file called /tmp/bob which is the configuration file which opens a shell on the port.
This may be a subject you could bring up to Vinoo/or David from McAfee Labs?
I am uncertain if they would need a Hash..etc.
Yes, I saw the same article that mentions /tmp/bob.
I checked for any file with "bob" in its name and there's nothing, as expected. The forward-slash and use of "tmp" indicates that that files is to be found on Linux rather than windows.
I'm wondering if this is a glitch with TcpView substituting a name for a port number, although I've never seen those names in the list before. Better safe than sorry : I'll wait for a response from someone on TechNet who knows. Maybe I'll even get noticed by Mark Russinovitch.
Time for a scan anyway, but close observation of today's Chrome activity indicates this may be Tcpview mislabelling ports opened randomly by Chrome as part of the browser's normal operations. Knowing the port numbers that map to those descriptions is helpful; the latest example of a name instead of a number is "ms-sql-m".