Security Basics mailing list archives

Re: Possible Trojan.

From: Charles Funderburk <aka () io com>
Date: Mon, 27 Oct 2003 15:08:45 -0600

Is it possible that the box is owned? 

Check for any suspicious processes using http://sysinternals.com/ntw2k/freeware/procexp.shtml

It's possible that he has a trojan/backdoor/keylogger. Has he scanned his machine lately? Use an online scan tool - 
http://housecall.trendmicro.com/ . Don't trust the one on the local host. Especially if it isn't current.

It may be too late. No telling what executables have been replaced with what backdoor programs. A sniffer might help, 
but at this point, I'd rebuild the machine. What operating system is it running?

script kiddie could have used netcat to hide the executable/process as another service running on another port.

it's possible that somebody there in the office is sniffing the subnet. Wouldn't be difficult to do, especially if they 
were not on a switched network. finding Windows boxes that are in promiscuous mode is really tough. Ettercap will do a 
at best effor to identify these devices. If aol is like any of the others - hotmail or yahoo most of the stuff is 
easily captured over the wire with a good sniffer.

scary....hope this helps.

ctf 


On Mon, Oct 27, 2003 at 07:42:38PM -0000, Gene wrote:



Have a buddy complaining about his AOL account password being stolen every time he logs onto AOL from his PC at work.  
I talked him through doing an fport on his box and he sent me the results:


Pid   Process            Port  Proto Path
8     System         ->  1097  TCP
8     System         ->  139   TCP
8     System         ->  445   TCP
1916  aolwbspd       ->  11523 TCP   C:\Program Files\America Online 9.0\aolwbsp
d.exe
676   OUTLOOK        ->  1125  TCP   C:\Program Files\Microsoft Office\Office10\
OUTLOOK.EXE
676   OUTLOOK        ->  1129  TCP   C:\Program Files\Microsoft Office\Office10\
OUTLOOK.EXE
856   MSTask         ->  1051  TCP   C:\WINNT\system32\MSTask.exe
988   svchost        ->  1132  TCP   C:\WINNT\system32\svchost.exe
988   svchost        ->  1134  TCP   C:\WINNT\system32\svchost.exe
988   svchost        ->  1139  TCP   C:\WINNT\system32\svchost.exe
452   svchost        ->  135   TCP   C:\WINNT\system32\svchost.exe

8     System         ->  137   UDP
8     System         ->  138   UDP
8     System         ->  445   UDP
1820  waol           ->  1849  UDP   C:\Program Files\America Online 9.0\waol.ex
e
1688  IEXPLORE       ->  1191  UDP   C:\Program Files\Internet Explorer\IEXPLORE
.EXE
1856  IEXPLORE       ->  1784  UDP   C:\Program Files\Internet Explorer\IEXPLORE
.EXE
676   OUTLOOK        ->  1126  UDP   C:\Program Files\Microsoft Office\Office10\
OUTLOOK.EXE
676   OUTLOOK        ->  1127  UDP   C:\Program Files\Microsoft Office\Office10\
OUTLOOK.EXE
676   OUTLOOK        ->  1182  UDP   C:\Program Files\Microsoft Office\Office10\
OUTLOOK.EXE
800   rtvscan        ->  2967  UDP   C:\Program Files\NavNT\rtvscan.exe
268   lsass          ->  500   UDP   C:\WINNT\system32\lsass.exe
228   winlogon       ->  1053  UDP   \??\C:\WINNT\system32\winlogon.exe


I'm really concerned with the last one: 

228   winlogon       ->  1053  UDP   \??\C:\WINNT\system32\winlogon.exe


I've found some things on the net that say it's legit, I've found others that say it's indicative of a backdoor.  I 
ran fport on my box and did not have any entries like that.  Does anyone have any information on this?  Are there 
other entries that attract anyone else's attention?

Your help is appreciated.

---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------

Current thread:

Possible Trojan. Gene (Oct 27)
- RE: Possible Trojan. Bob Beck (Oct 27)
- Re: Possible Trojan. Charles Funderburk (Oct 27)
- <Possible follow-ups>
- Re: Possible Trojan. H Carvey (Oct 28)
  - Re: Possible Trojan. John T. Hoffoss (Oct 29)
    - Interesting sniffer packet JGrimshaw (Oct 30)