Security Basics mailing list archives

RE: Hidden windows ports, files and services.

From: "Nick Duda" <nduda () VistaPrint com>
Date: Fri, 11 Feb 2005 05:23:31 -0500

Use Fport to detect the proc.
 
- Nick

        -----Original Message----- 
        From: Paul Kurczaba [mailto:seclists () securinews com] 
        Sent: Thu 2/10/2005 3:09 PM 
        To: 'Alex Yan'; security-basics () securityfocus com 
        Cc: 
        Subject: RE: Hidden windows ports, files and services.
        
        

        Open up a command prompt. Type "telnet 127.0.0.1 21". What does the banner
        say?
        
        -Paul
        
        -----Original Message-----
        From: Alex Yan [mailto:drcyyan () yahoo com]
        Sent: Thursday, February 10, 2005 9:17 PM
        To: security-basics () securityfocus com
        Subject: Re: Hidden windows ports, files and services.
        
        In-Reply-To: <41C74BAA.4060400 () cs virginia edu>
        
        Hi ALL,
        
        Could anyone help me for the similar problem. I have a PC with XP prof. A
        hidden ftp process/service is running. Using "netstat -aon", I can see two
        entries:
        
        Proto Local Address  Foreign Address  State      PID
        TCP   0.0.0.0:21     0.0.0.0:0        LISTENING  86
        TCP   0.0.0.0:21     0.0.0.0:0        LISTENING  420
        
        The process IDs can not be found via taskmanager, tasklist and pslist.
        The XP srvice manager didn't give any clue. What tools can I use to detect
        the process/program and how can I kill this hidden process. How can I clean
        up the computer.
        
        Any help would be greatly appreciated.
        
        Thanks very much.
        
        Alex Yan
        
        
        
        >Received: (qmail 1241 invoked from network); 20 Dec 2004 22:37:09 -0000
        >Received: from outgoing.securityfocus.com (HELO
        >outgoing2.securityfocus.com) (205.206.231.26)
        >  by mail.securityfocus.com with SMTP; 20 Dec 2004 22:37:09 -0000
        >Received: from lists.securityfocus.com (lists.securityfocus.com
        [205.206.231.19])
        >       by outgoing2.securityfocus.com (Postfix) with QMQP
        >       id 875A214373C; Mon, 20 Dec 2004 15:06:22 -0700 (MST)
        >Mailing-List: contact security-basics-help () securityfocus com; run by
        >ezmlm
        >Precedence: bulk
        >List-Id: <security-basics.list-id.securityfocus.com>
        >List-Post: <mailto:security-basics () securityfocus com>
        >List-Help: <mailto:security-basics-help () securityfocus com>
        >List-Unsubscribe:
        ><mailto:security-basics-unsubscribe () securityfocus com>
        >List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>
        >Delivered-To: mailing list security-basics () securityfocus com
        >Delivered-To: moderator for security-basics () securityfocus com
        >Received: (qmail 13730 invoked from network); 20 Dec 2004 22:00:43
        >-0000
        >Message-ID: <41C74BAA.4060400 () cs virginia edu>
        >Date: Mon, 20 Dec 2004 17:01:14 -0500
        >From: Mark Reis <mcr2z () cs virginia edu>
        >User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
        >X-Accept-Language: en-us, en
        >MIME-Version: 1.0
        >Cc: security-basics () securityfocus com
        >Subject: Re: Hidden windows ports, files and services.
        >References:
        ><8AAB5E48C043704B8F1B835DD8F0A44602B49A () ROBIN eightinonepet com>
        >In-Reply-To:
        ><8AAB5E48C043704B8F1B835DD8F0A44602B49A () ROBIN eightinonepet com>
        >Content-Type: text/plain; charset=ISO-8859-1; format=flowed
        >Content-Transfer-Encoding: 7bit
        >
        >Hello Again,
        >
        >I've discovered the answer to part 2 - the machine was infected by a
        >root kit that was intercepting all of system calls being issued by -
        >active ports, fport and such. I actually found myself being quite
        >impressed by this kit. Even running Dependency Walker and comparing it
        >with my test machine was negative.
        >
        >The first clue was when I was inspecting the attributes on the system
        >dll, I found some discrepancies on the flags. This led to me ultimately
        >finding multiple duplicate DLLs in c:\windows\system32 called
        >somedll.dll.tmp. What it appeared to being doing was returning the
        >sizes and values of the original backed up files - thus masking the true
        trojans.
        >
        >-Mark
        >

Current thread:

Re: Hidden windows ports, files and services. Alex Yan (Feb 10)
- Re: Hidden windows ports, files and services. Mark Reis (Feb 10)
- RE: Hidden windows ports, files and services. Paul Kurczaba (Feb 10)
  - RE: Hidden windows ports, files and services. Robert Hines (Feb 11)
- <Possible follow-ups>
- RE: Hidden windows ports, files and services. Alex Yan (Feb 11)
  - Re: Hidden windows ports, files and services. q q (Feb 11)
  - RE: Hidden windows ports, files and services. Edy Lie (Feb 11)
- RE: Hidden windows ports, files and services. Endre Szekely (Feb 11)
- RE: Hidden windows ports, files and services. Nick Duda (Feb 11)
  - Re: Hidden windows ports, files and services. Security (Feb 11)
    - Re: Hidden windows ports, files and services. Varun Pitale (Feb 14)
- RE: Hidden windows ports, files and services. Doug . Janelle (Feb 11)
- Re: Hidden windows ports, files and services. H Carvey (Feb 14)
  - Re: Hidden windows ports, files and services. Alex Yan (Feb 14)
    - Re: Hidden windows ports, files and services. Mario Pascucci (Feb 15)
    - Re: Hidden windows ports, files and services. Security (Feb 17)
- RE: Hidden windows ports, files and services. Paul Marsh (Feb 15)
  - RE: Hidden windows ports, files and services. Alex Yan (Feb 15)
- RE: Hidden windows ports, files and services. Paul Marsh (Feb 15)

(Thread continues...)