Security Basics mailing list archives
Re: How to find process behing TCP connection ?
From: "Mario A. Spinthiras" <mario () netway com cy>
Date: Fri, 29 Sep 2006 11:12:02 +0300
Daniel DeLeo wrote:
A bit off topic for this thread, but...Just wanted to point out that under *NIX, if you get rooted, your copy of lsof will probably be trojaned to hide the attacker's rootkit and malicious activity. You could potentially build a new lsof from source or copy a binary from a trusted machine, however, off-line forensic analysis is usually the way to go--especially because of kernel-level rootkits that will lie to lsof, trojaned or not. If your *NIX has chflags (is this only on OpenBSD? I've become so partisan to OBSD for production machines that I don't know...) you can prevent this by setting the system immutable flag on your kernel and binaries like ps, lsof and the like.Now back on topic...Sounds like you've got a reverse-engineering challenge on your hands. If you're up for it, SoftICE is something you should look into. The book "Security Warrior" from O'Reilly will get you started and there's probably some good advice on the web. That being said, unless you already have skills with assembler, this is probably more effort than you'll want to expend on the issue, especially since your opponent, the malware author, seems to have some skills at anti-detection, so he might have some skills at anti-reverse-engineering, too. (disclaimer: reverse engineering is one of those skills that I've always wanted to learn, but there's always a fire to be put out just when I sit down to start practicing)Finally, DO NOT FORGET to firewall the crap out of your honeypot box. Look around the web for honeypot oriented root-kits, too. I know of sebek for *NIX, but there must be some for windows. This will help you get the most mileage out of your honeypot project.Daniel DeLeo On Sep 27, 2006, at 2:20 PM, Buozis, Martynas wrote:Thanks for reply. Maybe I was not clear. Windows Server 2003 is acting as client and initiates connection to service on port 139 too many workstations. Actually it tries to logon as Administrator to many computers. And process, that initiates connection, is "System 4". There are no reasons why this server should connect to any of these workstations. Per configuration attempt to logon as Admin is denied. I set up open system and expect server will try to connect to it, so maybe I will understand better what is behind activity, but I am also sure, that more people got same problem for different reasons and they are willing to share their experience. So easy under Unix with LSOF and not possible under Windows ?... Can't believe! With best regards Martynas -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Colin Copley Sent: Wednesday, September 27, 2006 8:55 PM To: Buozis, Martynas Cc: security-basics () securityfocus com Subject: Re: How to find process behing TCP connection ? Maybe this is some help? http://forum.sysinternals.com/forum_posts.asp?TID=3432 If not, perhaps you could attempt to telnet or putty into the port, and see if it returns an error message which might give some more info. Another idea - try ethereal to capture the packet data and see what it contains. Also I believe nmap can attempt to establish what's listening on a certain port. It might give you more info than just system 4. Regards Colin ----- Original Message ----- From: "Buozis, Martynas" <martynas () ti com> Hello I need an advice. I have Windows 2003 server. It occasionally show strange and suspicious network behavior. I used command "netstat -abov" and Process explorer tool from Sysinternals to find process behind connections. I found that it is "System 4" and got stuck. How I can identify what is behind this "System 4"? I thought it may be hidden process, but RootkitReveal from Systinternals did not show anything. I will be grateful for any ideas how to identify what is behind these TCP connections from server to many computers! Thank you in advance. With best regards Martynas ------------------------------------------------------------------------ --- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ ------------------------------------------------------------------------------This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree,without disrupting your career or home life. http://www.msia.norwich.edu/secfocus------------------------------------------------------------------------------------------------------------------------------------------------------This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellencein Information Security. Our program offers unparalleled Infosec managementeducation and the case study affords you unmatched consulting experience.Using interactive e-Learning technology, you can earn this esteemed degree,without disrupting your career or home life.http://www.msia.norwich.edu/secfocus---------------------------------------------------------------------------
reverse engineering? what are you talking about.You are right about the root kits. BUT if its a kernel module rootkit then it wont make any different because the resources in the system are spoofed so any software you use will give you the output hiding what the hacker wants to hide.
Regards, Mario A. Spinthiras --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- How to find process behing TCP connection ?, (continued)
- How to find process behing TCP connection ? Buozis, Martynas (Sep 27)
- Re: How to find process behing TCP connection ? Colin Copley (Sep 27)
- RE: How to find process behing TCP connection ? Buozis, Martynas (Sep 27)
- Re[2]: How to find process behing TCP connection ? Roman Shirokov (Sep 28)
- RE: How to find process behing TCP connection ? Simon Zuckerbraun (Sep 29)
- RE: How to find process behing TCP connection ? Buozis, Martynas (Sep 27)
- Re: How to find process behing TCP connection ? Danux (Sep 28)
- Re: How to find process behing TCP connection ? Colin Copley (Sep 28)
- RE: How to find process behing TCP connection ? Buozis, Martynas (Sep 28)
- How to find process behing TCP connection ? Buozis, Martynas (Sep 27)
- Re: How to find process behing TCP connection ? Daniel DeLeo (Sep 28)
- Re: How to find process behing TCP connection ? Mario A. Spinthiras (Sep 29)
- Re: How to find process behing TCP connection ? Daniel DeLeo (Sep 29)
- Re: How to find process behing TCP connection ? Ansgar -59cobalt- Wiechers (Sep 28)
- Re: How to find process behing TCP connection ? Mario A. Spinthiras (Sep 28)
- Re: How to find process behing TCP connection ? Ansgar -59cobalt- Wiechers (Sep 27)
- Re: How to find process behing TCP connection ? Mario A. Spinthiras (Sep 28)
- Re: How to find process behing TCP connection ? Umil (Sep 28)
- RE: How to find process behind TCP connection ? Robert D. Holtz - Lists (Sep 28)
- RE: How to find process behind TCP connection ? Buozis, Martynas (Sep 28)