Home > HOW TO GUIDES > Remove Ingreslock Backdoor and Lock TCP 1524

Remove Ingreslock Backdoor and Lock TCP 1524

Security reports have appeared regarding a network vulnerability, identified as Ingreslock backdoor. Ingreslock is a legitimate service that locks parts of an Ingres database and uses TCP 1524 (Transmission Control Protocol). What is troublesome is that the 1524 port is often used by Trojans as a backdoor into a system.

Name Ingreslock Backdoor
Type Backdoor
Short Description A legitimate service that uses 1524 port. TCP 1524 is often used by Trojans as a backdoor.
Symptoms Not known yet.
Distribution Method Not known yet.
Detection Tool Download Malware Removal Tool, to See If Your System Has Been Affected by malware
User Experience Join our forum to discuss Ingreslock backdoor.

What Is Ingres Database?

Ingres Database is a commercially supported, open-source SQL relational database management system that supports big commercial and government programs. Being open-source, Ingres Database has a large community of contributors. Actian Corporation, however, controls the development of Ingres and makes certified binaries available for download, and provides worldwide support.


Ingreslock Backdoor Technical Review

As already said, the Ingreslock port – 1524/TCP may be used as a backdoor by various programs, which may exploit RPC (remote procedure call) services. According to security experts, the Ingreslock backdoor may be used as an intentional backdoor by malicious actors to obtain access to a system. Malicious actors only need to connect to the port, and they will be logged in, having the same privileges as the user running the service.

A researcher has analyzed a unique attack carried out with the help of Ingreslock port 1524/TCP (for more details, click on the link). The analyzed rootkit that was installed during the malicious operation contained:

trojaned binaries, a couple of DoS tools, solaris patches, sshd backdoor, log cleaner, sniffer, file resizer, and a psy-bnc binary.

This set of tools could have been applied in various malicious operations, including targeted network attacks.

Read More About Backdoor Attacks:
Latentbot Backdoor
Bifrose APT Backdoor

Backdoors, in general, are used to bypass regular authentication in software products and operating systems. When in the hands of malicious actors, backdoors are deployed to gain unauthorized access to a victim’s system. In the current state of cyber crime, backdoors are often used in ransomware attacks. Basically, if a backdoor is open to a system, any malware can enter at any time.

Apart from the attack scenarios described above, a McAfee user has reported seeing Chrome processes that show ports “ingreslock” and “pptp”. The interesting thing is the user says he doesn’t have Ingres Database installed:

I have Tcpview running from startup, and today I noticed something I’ve not seen before. Tcpview showed the local ports being used for two Chrome processes not as numbers but as “ingreslock” and “pptp”. I should have taken a screenshot, because after a couple of minutes – while I was busy Googling to find out what these new things were – the processes ended and vanished from the list.[…] Note, I do not have an Ingres database.

If you have witnessed a similar activity in any of your browsers, you should think of immediately scanning your system to make sure it isn’t compromised by a backdoor.

For now, there is no official explanation as to why these processes appear in systems that don’t have Ingres. We will keep you updated.

Ingreslock Backdoor TCP 1524 Mitigation

Besides running a full system scan, users who have suspicions that a backdoor has sneaked into their systems should lock down the TCP 1524 port at the firewall. The best way to fix this problem is to call your Internet provider, explain the issue and ask them to lock down the troublesome port for you.

Then, use a powerful anti-malware utility to determine whether your system is compromised or protected.


Malware Removal Tool

Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share