Security Basics mailing list archives
RE: Hidden windows ports, files and services.
From: Doug.Janelle () Thermo com
Date: Fri, 11 Feb 2005 15:55:06 -0500
You could also try TCPVIEW from Sysinternals. Leave it running in a visible window and it'll show you all the procs as well as color-coded alerts when they trigger. -dcj2 Use Fport to detect the proc. - Nick -----Original Message----- From: Alex Yan [mailto:drcyyan () yahoo com] Sent: Thursday, February 10, 2005 9:17 PM To: security-basics () securityfocus com Subject: Re: Hidden windows ports, files and services. In-Reply-To: <41C74BAA.4060400 () cs virginia edu> Hi ALL, Could anyone help me for the similar problem. I have a PC with XP prof. A hidden ftp process/service is running. Using "netstat -aon", I can see two entries: Proto Local Address Foreign Address State PID TCP 0.0.0.0:21 0.0.0.0:0 LISTENING 86 TCP 0.0.0.0:21 0.0.0.0:0 LISTENING 420 The process IDs can not be found via taskmanager, tasklist and pslist. The XP srvice manager didn't give any clue. What tools can I use to detect the process/program and how can I kill this hidden process. How can I clean up the computer. Any help would be greatly appreciated. Thanks very much. Alex Yan >Received: (qmail 1241 invoked from network); 20 Dec 2004 22:37:09 -0000 >Received: from outgoing.securityfocus.com (HELO >outgoing2.securityfocus.com) (205.206.231.26) > by mail.securityfocus.com with SMTP; 20 Dec 2004 22:37:09 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) > by outgoing2.securityfocus.com (Postfix) with QMQP > id 875A214373C; Mon, 20 Dec 2004 15:06:22 -0700 (MST) >Mailing-List: contact security-basics-help () securityfocus com; run by >ezmlm >Precedence: bulk >List-Id: <security-basics.list-id.securityfocus.com> >List-Post: <mailto:security-basics () securityfocus com> >List-Help: <mailto:security-basics-help () securityfocus com> >List-Unsubscribe: ><mailto:security-basics-unsubscribe () securityfocus com> >List-Subscribe: <mailto:security-basics-subscribe () securityfocus com> >Delivered-To: mailing list security-basics () securityfocus com >Delivered-To: moderator for security-basics () securityfocus com >Received: (qmail 13730 invoked from network); 20 Dec 2004 22:00:43 >-0000 >Message-ID: <41C74BAA.4060400 () cs virginia edu> >Date: Mon, 20 Dec 2004 17:01:14 -0500 >From: Mark Reis <mcr2z () cs virginia edu> >User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) >X-Accept-Language: en-us, en >MIME-Version: 1.0 >Cc: security-basics () securityfocus com >Subject: Re: Hidden windows ports, files and services. >References: ><8AAB5E48C043704B8F1B835DD8F0A44602B49A () ROBIN eightinonepet com> >In-Reply-To: ><8AAB5E48C043704B8F1B835DD8F0A44602B49A () ROBIN eightinonepet com> >Content-Type: text/plain; charset=ISO-8859-1; format=flowed >Content-Transfer-Encoding: 7bit > >Hello Again, > >I've discovered the answer to part 2 - the machine was infected by a >root kit that was intercepting all of system calls being issued by - >active ports, fport and such. I actually found myself being quite >impressed by this kit. Even running Dependency Walker and comparing it >with my test machine was negative. > >The first clue was when I was inspecting the attributes on the system >dll, I found some discrepancies on the flags. This led to me ultimately >finding multiple duplicate DLLs in c:\windows\system32 called >somedll.dll.tmp. What it appeared to being doing was returning the >sizes and values of the original backed up files - thus masking the true trojans. > >-Mark >
Current thread:
- Re: Hidden windows ports, files and services., (continued)
- Re: Hidden windows ports, files and services. Mark Reis (Feb 10)
- RE: Hidden windows ports, files and services. Paul Kurczaba (Feb 10)
- RE: Hidden windows ports, files and services. Robert Hines (Feb 11)
- RE: Hidden windows ports, files and services. Alex Yan (Feb 11)
- Re: Hidden windows ports, files and services. q q (Feb 11)
- RE: Hidden windows ports, files and services. Edy Lie (Feb 11)
- RE: Hidden windows ports, files and services. Endre Szekely (Feb 11)
- RE: Hidden windows ports, files and services. Nick Duda (Feb 11)
- Re: Hidden windows ports, files and services. Security (Feb 11)
- Re: Hidden windows ports, files and services. Varun Pitale (Feb 14)
- Re: Hidden windows ports, files and services. Security (Feb 11)
- RE: Hidden windows ports, files and services. Doug . Janelle (Feb 11)
- Re: Hidden windows ports, files and services. H Carvey (Feb 14)
- Re: Hidden windows ports, files and services. Alex Yan (Feb 14)
- Re: Hidden windows ports, files and services. Mario Pascucci (Feb 15)
- Re: Hidden windows ports, files and services. Security (Feb 17)
- Re: Hidden windows ports, files and services. Alex Yan (Feb 14)
- RE: Hidden windows ports, files and services. Paul Marsh (Feb 15)
- RE: Hidden windows ports, files and services. Alex Yan (Feb 15)
- RE: Hidden windows ports, files and services. Paul Marsh (Feb 15)
- RE: Hidden windows ports, files and services. Alex Yan (Feb 15)
- RE: Hidden windows ports, files and services. Alex Yan (Feb 15)
- RE: Hidden windows ports, files and services. Paul Marsh (Feb 15)