Re: Hidden windows ports, files and services.

[Charles Otstot <charles.otstot () ncmail net>]

Mark,
I won't speak to the recycle bin since I haven't tested yet, but I may 
be able to help with ID'ing the ftp server.
Most of the tagged servers I've seen run Serv-U ftp. Typically the 
scripts for installing will be in a subfolder of the %winroot% folder 
(often as a subfolder of the %winroot%\system32\drivers folder). If 
someone has gotten smart enough to hide the port, you might check your 
services listing. Look for a service which appears legitimate, but in 
reality isn't. For example, you may see a service listed as "scvhost" or 
which has a legitimate named file in a wrong location (e.g 
c:\windows\svchost). Notice that the errors are subtle, so it's easy to 
miss. If you find such a service, bintext may help you ID the actual server.

Hope this helps at least a bit.

Charlie

Mark Reis wrote:

> Hello,
>
> Being at a University, I get to deal with my fair share of compromised 
> machines. Over the past year or so, I've started to notice that 
> hackers are getting smarter along with Microsoft making things more 
> complicated with XP SP2. I'm hoping that other members of this list 
> might be able to help resolve or know of a work around.
>
> I'm not interested in discussion in how to secure these machines, I do 
> what I can within the inherent bureaucracy of the system. :)
>
> Hidden files:
>
> One of the most common things I see is hackers hiding a FTP server for 
> questionable material in the RECYCLER. Assume that I am logged in as 
> the local administrator, the machine is disconnected from the network, 
> and explorer has been set to show all files. The offending process has 
> been found and removed, and I'd like to analyze the ftp server. The 
> default behavior of Windows XP is to hide the contents of the 
> C:\RECYCLER\UID. Prior to XP SP2, I used to be able to go through the 
> c$ share and see the contents via \\machine\c$\recycler\UID. However 
> with XP SP2, this option was removed. Ultimately, I now need to 
> download and use cygwin to list the directory contents.
>
> Does anyone know how to get XP to show *everything* - The same thing 
> applies to XP hiding the IE cache.
>
>
> Hidden Process:
>
> A machine was recently compromised and the only way I was aware of 
> this was by doing an nmap port scan of the system. NMAP 3.75 showed a 
> ftp server on a non-standard port. Using ncftp, I was able to connect 
> to this server.
>
> ncftp -P 1475 compromised machine -u anonymous
> NcFTP 3.1.7 (Jan 07, 2004) by Mike Gleason 
> (http://www.NcFTP.com/contact/).
> Connecting to ....
> FTP Server ready.
> Login incorrect.
> Sleeping 20 seconds...
>
> However, when in front of the machine, I've run Active Ports, Fport 
> and TCPView. None of which list a process as listening on that port. I 
> even downloaded fresh version of each and tried again. No luck. This 
> is quite disturbing...
>
> Does anyone have a suggestion on how to determine what process this is?
>
> Thank you,
> Mark Reis