Security Basics mailing list archives
Re: Hidden windows ports, files and services.
From: Varun Pitale <varun.pitale () gmail com>
Date: Sat, 12 Feb 2005 15:50:00 -0500
Use a personal firewall and block any connections to the port 21. That should help you out. Do not use Norton Internet firewall, it is too bloated.. Use something like Tiny Personal Firewall or Sygate Personal firewall.. On Fri, 11 Feb 2005 15:28:35 -0500, Security <security () sustainedhits com> wrote:
You might find this helpful: http://home.arcor.de/scheinsicherheit/rootkits.htm I really doubt a different tool like Fprot would do much but show the same thing he's getting through netstat if the system calls are being hooked to hide the process using the standard methods. You need to get those processes (at least the one(s) that have port 21 open) so they will display in the regular task manager list by cleaning out whatever is hiding them, then determine what it was hiding. If it doesn't show up in task manager, you can be pretty sure there is a rootkit intercepting vital system calls and hiding processes from being shown/killed/etc. - the only reason he stumbled upon it is because they were too sloppy to hide the port from netstat too. ----- Original Message ----- From: "Nick Duda" <nduda () VistaPrint com> To: "Paul Kurczaba" <seclists () securinews com>; "Alex Yan" <drcyyan () yahoo com>; <security-basics () securityfocus com> Sent: Friday, February 11, 2005 5:23 AM Subject: RE: Hidden windows ports, files and services.Use Fport to detect the proc. - Nick -----Original Message----- From: Paul Kurczaba [mailto:seclists () securinews com] Sent: Thu 2/10/2005 3:09 PM To: 'Alex Yan'; security-basics () securityfocus com Cc: Subject: RE: Hidden windows ports, files and services. Open up a command prompt. Type "telnet 127.0.0.1 21". What does the banner say? -Paul -----Original Message----- From: Alex Yan [mailto:drcyyan () yahoo com] Sent: Thursday, February 10, 2005 9:17 PM To: security-basics () securityfocus com Subject: Re: Hidden windows ports, files and services. In-Reply-To: <41C74BAA.4060400 () cs virginia edu> Hi ALL, Could anyone help me for the similar problem. I have a PC with XP prof. A hidden ftp process/service is running. Using "netstat -aon", I can see two entries: Proto Local Address Foreign Address State PID TCP 0.0.0.0:21 0.0.0.0:0 LISTENING 86 TCP 0.0.0.0:21 0.0.0.0:0 LISTENING 420 The process IDs can not be found via taskmanager, tasklist and pslist. The XP srvice manager didn't give any clue. What tools can I use to detect the process/program and how can I kill this hidden process. How can I clean up the computer. Any help would be greatly appreciated. Thanks very much. Alex YanReceived: (qmail 1241 invoked from network); 20 Dec 2004 22:37:09 -0000 Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26) by mail.securityfocus.com with SMTP; 20 Dec 2004 22:37:09 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com[205.206.231.19])by outgoing2.securityfocus.com (Postfix) with QMQP id 875A214373C; Mon, 20 Dec 2004 15:06:22 -0700 (MST) Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <security-basics.list-id.securityfocus.com> List-Post: <mailto:security-basics () securityfocus com> List-Help: <mailto:security-basics-help () securityfocus com> List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com> List-Subscribe: <mailto:security-basics-subscribe () securityfocus com> Delivered-To: mailing list security-basics () securityfocus com Delivered-To: moderator for security-basics () securityfocus com Received: (qmail 13730 invoked from network); 20 Dec 2004 22:00:43 -0000 Message-ID: <41C74BAA.4060400 () cs virginia edu> Date: Mon, 20 Dec 2004 17:01:14 -0500 From: Mark Reis <mcr2z () cs virginia edu> User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 Cc: security-basics () securityfocus com Subject: Re: Hidden windows ports, files and services. References: <8AAB5E48C043704B8F1B835DD8F0A44602B49A () ROBIN eightinonepet com> In-Reply-To: <8AAB5E48C043704B8F1B835DD8F0A44602B49A () ROBIN eightinonepet com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hello Again, I've discovered the answer to part 2 - the machine was infected by a root kit that was intercepting all of system calls being issued by - active ports, fport and such. I actually found myself being quite impressed by this kit. Even running Dependency Walker and comparing it with my test machine was negative. The first clue was when I was inspecting the attributes on the system dll, I found some discrepancies on the flags. This led to me ultimately finding multiple duplicate DLLs in c:\windows\system32 called somedll.dll.tmp. What it appeared to being doing was returning the sizes and values of the original backed up files - thus masking the truetrojans.-Mark
-- Regards, Varun (202)-994-6114 --(Office) (704)-241-0092 --(Mobile) mailto: varun.pitale_(at)_gmail_(dot)_com
Current thread:
- Re: Hidden windows ports, files and services. Alex Yan (Feb 10)
- Re: Hidden windows ports, files and services. Mark Reis (Feb 10)
- RE: Hidden windows ports, files and services. Paul Kurczaba (Feb 10)
- RE: Hidden windows ports, files and services. Robert Hines (Feb 11)
- <Possible follow-ups>
- RE: Hidden windows ports, files and services. Alex Yan (Feb 11)
- Re: Hidden windows ports, files and services. q q (Feb 11)
- RE: Hidden windows ports, files and services. Edy Lie (Feb 11)
- RE: Hidden windows ports, files and services. Endre Szekely (Feb 11)
- RE: Hidden windows ports, files and services. Nick Duda (Feb 11)
- Re: Hidden windows ports, files and services. Security (Feb 11)
- Re: Hidden windows ports, files and services. Varun Pitale (Feb 14)
- Re: Hidden windows ports, files and services. Security (Feb 11)
- RE: Hidden windows ports, files and services. Doug . Janelle (Feb 11)
- Re: Hidden windows ports, files and services. H Carvey (Feb 14)
- Re: Hidden windows ports, files and services. Alex Yan (Feb 14)
- Re: Hidden windows ports, files and services. Mario Pascucci (Feb 15)
- Re: Hidden windows ports, files and services. Security (Feb 17)
- Re: Hidden windows ports, files and services. Alex Yan (Feb 14)
- RE: Hidden windows ports, files and services. Paul Marsh (Feb 15)
- RE: Hidden windows ports, files and services. Alex Yan (Feb 15)
- RE: Hidden windows ports, files and services. Paul Marsh (Feb 15)
- RE: Hidden windows ports, files and services. Alex Yan (Feb 15)
- RE: Hidden windows ports, files and services. Alex Yan (Feb 15)