Security reports have appeared regarding a network vulnerability, identified as Ingreslock backdoor. Ingreslock is a legitimate service that locks parts of an Ingres database and uses TCP 1524 (Transmission Control Protocol). What is troublesome is that the 1524 port is often used by Trojans as a backdoor into a system.
|Short Description||A legitimate service that uses 1524 port. TCP 1524 is often used by Trojans as a backdoor.|
|Symptoms||Not known yet.|
|Distribution Method||Not known yet.|
|Detection Tool||Download Malware Removal Tool, to See If Your System Has Been Affected by Ingreslock Backdoor|
|User Experience||Join our forum to discuss Ingreslock backdoor.|
What Is Ingres Database?
Ingres Database is a commercially supported, open-source SQL relational database management system which supports big commercial and government programs. Being open-source, Ingres Database has a large community of contributors. Actian Corporation, however, controls the development of Ingres and makes certified binaries available for download, and provides worldwide support.
Ingreslock Backdoor Technical Review
As already said, the Ingreslock port – 1524/TCP may be used as a backdoor by various programs, which may exploit RPC (remote procedure call) services. According to security experts, the Ingreslock backdoor may be used as an intentional backdoor by malicious actors to obtain access to a system. Malicious actors only need to connect to the port, and they will be logged in, having the same privileges as the user running the service.
A researcher has analyzed a unique attack carried out with the help of Ingreslock port 1524/TCP (for more details, click on the link). The analyzed rootkit that was installed during the malicious operation contained:
trojaned binaries, a couple of DoS tools, solaris patches, sshd backdoor, log cleaner, sniffer, file resizer, and a psy-bnc binary.
This set of tools could have been applied in various malicious operations, including targeted network attacks.
Backdoors, in general, are used to bypass regular authentication in software products and operating systems. When in the hands of malicious actors, backdoors are deployed to gain unauthorized access to a victim’s system. In the current state of cyber crime, backdoors are often used in ransomware attacks. Basically, if a backdoor is open to a system, any malware can enter at any time.
Apart from the attack scenarios described above, a McAfee user has reported seeing Chrome processes that show ports “ingreslock” and “pptp”. The interesting thing is the user says he doesn’t have Ingres Database installed:
I have Tcpview running from startup, and today I noticed something I’ve not seen before. Tcpview showed the local ports being used for two Chrome processes not as numbers but as “ingreslock” and “pptp”. I should have taken a screenshot, because after a couple of minutes – while I was busy Googling to find out what these new things were – the processes ended and vanished from the list.[…] Note, I do not have an Ingres database.
If you have witnessed a similar activity in any of your browsers, you should think of immediately scanning your system to make sure it isn’t compromised by a backdoor.
For now, there is no official explanation as to why these processes appear in systems that don’t have Ingres. We will keep you updated.
Ingreslock Backdoor TCP 1524 Mitigation
Besides running a full system scan, users who have suspicions that a backdoor has sneaked into their systems should lock down the TCP 1524 port at the firewall. A method to do so has been suggested by RWB NetSec.
Then, use a powerful anti-malware utility to determine whether your system is compromised or protected.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter