Security Basics mailing list archives
Re: Hidden windows ports, files and services.
From: Alex Yan <drcyyan () yahoo com>
Date: 11 Feb 2005 02:17:28 -0000
In-Reply-To: <41C74BAA.4060400 () cs virginia edu> Hi ALL, Could anyone help me for the similar problem. I have a PC with XP prof. A hidden ftp process/service is running. Using "netstat -aon", I can see two entries: Proto Local Address Foreign Address State PID TCP 0.0.0.0:21 0.0.0.0:0 LISTENING 86 TCP 0.0.0.0:21 0.0.0.0:0 LISTENING 420 The process IDs can not be found via taskmanager, tasklist and pslist. The XP srvice manager didn't give any clue. What tools can I use to detect the process/program and how can I kill this hidden process. How can I clean up the computer. Any help would be greatly appreciated. Thanks very much. Alex Yan
Received: (qmail 1241 invoked from network); 20 Dec 2004 22:37:09 -0000 Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26) by mail.securityfocus.com with SMTP; 20 Dec 2004 22:37:09 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) by outgoing2.securityfocus.com (Postfix) with QMQP id 875A214373C; Mon, 20 Dec 2004 15:06:22 -0700 (MST) Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <security-basics.list-id.securityfocus.com> List-Post: <mailto:security-basics () securityfocus com> List-Help: <mailto:security-basics-help () securityfocus com> List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com> List-Subscribe: <mailto:security-basics-subscribe () securityfocus com> Delivered-To: mailing list security-basics () securityfocus com Delivered-To: moderator for security-basics () securityfocus com Received: (qmail 13730 invoked from network); 20 Dec 2004 22:00:43 -0000 Message-ID: <41C74BAA.4060400 () cs virginia edu> Date: Mon, 20 Dec 2004 17:01:14 -0500 From: Mark Reis <mcr2z () cs virginia edu> User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 Cc: security-basics () securityfocus com Subject: Re: Hidden windows ports, files and services. References: <8AAB5E48C043704B8F1B835DD8F0A44602B49A () ROBIN eightinonepet com> In-Reply-To: <8AAB5E48C043704B8F1B835DD8F0A44602B49A () ROBIN eightinonepet com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hello Again, I've discovered the answer to part 2 - the machine was infected by a root kit that was intercepting all of system calls being issued by - active ports, fport and such. I actually found myself being quite impressed by this kit. Even running Dependency Walker and comparing it with my test machine was negative. The first clue was when I was inspecting the attributes on the system dll, I found some discrepancies on the flags. This led to me ultimately finding multiple duplicate DLLs in c:\windows\system32 called somedll.dll.tmp. What it appeared to being doing was returning the sizes and values of the original backed up files - thus masking the true trojans. -Mark
Current thread:
- Re: Hidden windows ports, files and services. Alex Yan (Feb 10)
- Re: Hidden windows ports, files and services. Mark Reis (Feb 10)
- RE: Hidden windows ports, files and services. Paul Kurczaba (Feb 10)
- RE: Hidden windows ports, files and services. Robert Hines (Feb 11)
- <Possible follow-ups>
- RE: Hidden windows ports, files and services. Alex Yan (Feb 11)
- Re: Hidden windows ports, files and services. q q (Feb 11)
- RE: Hidden windows ports, files and services. Edy Lie (Feb 11)
- RE: Hidden windows ports, files and services. Endre Szekely (Feb 11)
- RE: Hidden windows ports, files and services. Nick Duda (Feb 11)
- Re: Hidden windows ports, files and services. Security (Feb 11)
- Re: Hidden windows ports, files and services. Varun Pitale (Feb 14)
- Re: Hidden windows ports, files and services. Security (Feb 11)
(Thread continues...)