Security Basics mailing list archives
RE: Hidden windows ports, files and services.
From: "Edy Lie" <email () edylie net>
Date: Fri, 11 Feb 2005 18:55:51 +0800
Hi Alex, Install a packet sniffer on it for example ethereal and once the attacker login, you will be able to figure out the credential and stuffs he is doing. Cheers, Edy -----Original Message----- From: Alex Yan [mailto:drcyyan () yahoo com] Sent: Friday, February 11, 2005 4:27 AM To: Paul Kurczaba; security-basics () securityfocus com Subject: RE: Hidden windows ports, files and services. Hi Paul, I'll try it. I tried to "ftp" to the infected machine and connection is OK. I can't login because I don't know the username/password. Thanks Alex --- Paul Kurczaba <seclists () securinews com> wrote:
Open up a command prompt. Type "telnet 127.0.0.1 21". What does the banner say? -Paul -----Original Message----- From: Alex Yan [mailto:drcyyan () yahoo com] Sent: Thursday, February 10, 2005 9:17 PM To: security-basics () securityfocus com Subject: Re: Hidden windows ports, files and services. In-Reply-To: <41C74BAA.4060400 () cs virginia edu> Hi ALL, Could anyone help me for the similar problem. I have a PC with XP prof. A hidden ftp process/service is running. Using "netstat -aon", I can see two entries: Proto Local Address Foreign Address State PID TCP 0.0.0.0:21 0.0.0.0:0 LISTENING 86 TCP 0.0.0.0:21 0.0.0.0:0 LISTENING 420 The process IDs can not be found via taskmanager, tasklist and pslist. The XP srvice manager didn't give any clue. What tools can I use to detect the process/program and how can I kill this hidden process. How can I clean up the computer. Any help would be greatly appreciated. Thanks very much. Alex YanReceived: (qmail 1241 invoked from network); 20 Dec2004 22:37:09 -0000Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26) by mail.securityfocus.com with SMTP; 20 Dec 200422:37:09 -0000Received: from lists.securityfocus.com(lists.securityfocus.com [205.206.231.19])by outgoing2.securityfocus.com (Postfix) with QMQP id 875A214373C; Mon, 20 Dec 2004 15:06:22 -0700(MST)Mailing-List: contactsecurity-basics-help () securityfocus com; run byezmlm Precedence: bulk List-Id:<security-basics.list-id.securityfocus.com>List-Post:<mailto:security-basics () securityfocus com>List-Help:<mailto:security-basics-help () securityfocus com>List-Unsubscribe:<mailto:security-basics-unsubscribe () securityfocus com>List-Subscribe:<mailto:security-basics-subscribe () securityfocus com>Delivered-To: mailing listsecurity-basics () securityfocus comDelivered-To: moderator forsecurity-basics () securityfocus comReceived: (qmail 13730 invoked from network); 20Dec 2004 22:00:43-0000 Message-ID: <41C74BAA.4060400 () cs virginia edu> Date: Mon, 20 Dec 2004 17:01:14 -0500 From: Mark Reis <mcr2z () cs virginia edu> User-Agent: Mozilla Thunderbird 1.0(Windows/20041206)X-Accept-Language: en-us, en MIME-Version: 1.0 Cc: security-basics () securityfocus com Subject: Re: Hidden windows ports, files andservices.References:<8AAB5E48C043704B8F1B835DD8F0A44602B49A () ROBIN eightinonepet com>In-Reply-To:<8AAB5E48C043704B8F1B835DD8F0A44602B49A () ROBIN eightinonepet com>Content-Type: text/plain; charset=ISO-8859-1;format=flowedContent-Transfer-Encoding: 7bit Hello Again, I've discovered the answer to part 2 - the machinewas infected by aroot kit that was intercepting all of system callsbeing issued by -active ports, fport and such. I actually foundmyself being quiteimpressed by this kit. Even running DependencyWalker and comparing itwith my test machine was negative. The first clue was when I was inspecting theattributes on the systemdll, I found some discrepancies on the flags. Thisled to me ultimatelyfinding multiple duplicate DLLs inc:\windows\system32 calledsomedll.dll.tmp. What it appeared to being doingwas returning thesizes and values of the original backed up files -thus masking the true trojans.-Mark
__________________________________ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.8.7 - Release Date: 2/10/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.8.7 - Release Date: 2/10/2005
Current thread:
- Re: Hidden windows ports, files and services. Alex Yan (Feb 10)
- Re: Hidden windows ports, files and services. Mark Reis (Feb 10)
- RE: Hidden windows ports, files and services. Paul Kurczaba (Feb 10)
- RE: Hidden windows ports, files and services. Robert Hines (Feb 11)
- <Possible follow-ups>
- RE: Hidden windows ports, files and services. Alex Yan (Feb 11)
- Re: Hidden windows ports, files and services. q q (Feb 11)
- RE: Hidden windows ports, files and services. Edy Lie (Feb 11)
- RE: Hidden windows ports, files and services. Endre Szekely (Feb 11)
- RE: Hidden windows ports, files and services. Nick Duda (Feb 11)
- Re: Hidden windows ports, files and services. Security (Feb 11)
- Re: Hidden windows ports, files and services. Varun Pitale (Feb 14)
- Re: Hidden windows ports, files and services. Security (Feb 11)
- RE: Hidden windows ports, files and services. Doug . Janelle (Feb 11)
- Re: Hidden windows ports, files and services. H Carvey (Feb 14)
- Re: Hidden windows ports, files and services. Alex Yan (Feb 14)
- Re: Hidden windows ports, files and services. Mario Pascucci (Feb 15)
- Re: Hidden windows ports, files and services. Security (Feb 17)
- Re: Hidden windows ports, files and services. Alex Yan (Feb 14)
- RE: Hidden windows ports, files and services. Paul Marsh (Feb 15)