Security Basics mailing list archives
RE: Hidden windows ports, files and services.
From: "Beauford, Jason" <jbeauford () EightInOnePet com>
Date: Mon, 20 Dec 2004 16:46:08 -0500
A really nice tool is http://www.winsite.com/info/pc/win95/desktop/hidewndw.zip/ It will show any hidden windows. I realize it's not the port scanner you're looking for but its good for detecting these kinds of things. Regarding your port issue: I have no idea if this gets any deeper than netstat, but it looked interesting: http://www.freshsw.com/xns/ There's this: http://www.foundstone.com/resources/proddesc/vision.htm That's all I got for now. JMB -----Original Message----- From: Egemen Tas [mailto:egemen.tas () gmail com] Sent: Monday, December 20, 2004 2:41 PM To: Mark Reis Cc: security-basics () securityfocus com Subject: Re: Hidden windows ports, files and services. The process is possibly one of the rootkits(or modified versions of) which can be found from the www.rootkit.com . There is a tool to detect any hidden process. You can find that tool from that site too http://www.rootkit com/newsread.php?newsid=170 . This is an experimental tool but you can give it a try. It will find the hidden rootkit. Good luck, Egemen Tas -------Original Message------- From: Mark Reis Date: 12/20/04 21:01:53 Cc: security-basics () securityfocus com Subject: Hidden windows ports, files and services. Hello, Being at a University, I get to deal with my fair share of compromised machines. Over the past year or so, I've started to notice that hackers are getting smarter along with Microsoft making things more complicated with XP SP2. I'm hoping that other members of this list might be able to help resolve or know of a work around. I'm not interested in discussion in how to secure these machines, I do what I can within the inherent bureaucracy of the system. :) Hidden files: One of the most common things I see is hackers hiding a FTP server for questionable material in the RECYCLER. Assume that I am logged in as the local administrator, the machine is disconnected from the network, and explorer has been set to show all files. The offending process has been found and removed, and I'd like to analyze the ftp server. The default behavior of Windows XP is to hide the contents of the C:\RECYCLER\UID. Prior to XP SP2, I used to be able to go through the c$ share and see the contents via \\machine\c$\recycler\UID. However with XP SP2, this option was removed. Ultimately, I now need to download and use cygwin to list the directory contents. Does anyone know how to get XP to show *everything* - The same thing applies to XP hiding the IE cache. Hidden Process: A machine was recently compromised and the only way I was aware of this was by doing an nmap port scan of the system. NMAP 3.75 showed a ftp server on a non-standard port. Using ncftp, I was able to connect to this server. ncftp -P 1475 compromised machine -u anonymous NcFTP 3.1.7 (Jan 07, 2004) by Mike Gleason (http://www.NcFTP.com/contact/). Connecting to .... FTP Server ready. Login incorrect. Sleeping 20 seconds... However, when in front of the machine, I've run Active Ports, Fport and TCPView. None of which list a process as listening on that port. I even downloaded fresh version of each and tried again. No luck. This is quite disturbing... Does anyone have a suggestion on how to determine what process this is? Thank you, Mark Reis
Current thread:
- RE: Hidden windows ports, files and services. Justin Acquaro (Dec 20)
- <Possible follow-ups>
- RE: Hidden windows ports, files and services. Beauford, Jason (Dec 20)
- Re: Hidden windows ports, files and services. Mark Reis (Dec 20)
- Re: Hidden windows ports, files and services. Barrie Dempster (Dec 21)
- Re: Hidden windows ports, files and services. Mark Reis (Dec 20)