Penetration Testing mailing list archives
Unknown App
From: "Scott Fuhriman" <fuhrimans () llix net>
Date: Fri, 22 Jul 2005 11:57:43 -0700
It is my opinion, I would hope other would agree, that with this particular issue as originally described the only way to identify and mitigate whatever is happening is to get local access to the machine and then start performing some initial forensics like others and myself have suggested by running utilities that show what processes/PIDs are bound to which ports. This will allow you to search for the potentially offending file/executable and do some more investigation from there. Remember however, the biggest concern is that if there is a compromise, the box typically has to be completely wiped and installed from scratch to eliminate the possibility of other backdoors/Trojans that may be residing on your machine. Many/most rootkits for example have a payload to deliver on the machine, but also drop various other items and make configuration changes to allow an attacker other methods to regain access to the compromised machine. It all depends on what your findings are and the level of risk an organization is willing to accept to effectively mitigate. Many administrators or management, that don't have security training or mindset, overlook this fact and think they have mitigated the issue when if fact malicious activity continues to occur or the issue originally discovered resurfaces. Scott Fuhriman -----Original Message----- From: Sharad Birmiwal [mailto:sharadbirmiwal () gmail com] Sent: Friday, July 22, 2005 2:31 AM To: thenightweighsheavy () gmail com; pen-test () securityfocus com Subject: Re: Unknown App i recently discovered some worm on my network that tried to spread a payload file 'xxxxxxxx' by binding on port 80. it didn't serve a banner or any webpages, but http://<ip>/xxxxxxxx worked. sharad birmiwal On 7/21/05, Scott Fuhriman <fuhrimans () llix net> wrote:
The easiest and fastest approach is to use a port mapping utility like Active Ports (http://www.ntutility.com) or TCPview (www.sysinternals.com) (there are others like fport, etc...) which will allow you to see what process has port 80 open on the machines. This will allow you to identify what application/process is utilizing that port. Scott Fuhriman
Current thread:
- Unknown App thenightweighsheavy (Jul 21)
- Unknown App Scott Fuhriman (Jul 21)
- Re: Unknown App Sharad Birmiwal (Jul 22)
- Unknown App Scott Fuhriman (Jul 22)
- Re: Unknown App Sharad Birmiwal (Jul 22)
- <Possible follow-ups>
- RE: Unknown App Bartholomew, Brian J (Jul 21)
- Re: Unknown App ilaiy (Jul 21)
- Re: Unknown App Fabián Gabriel Chiera (Jul 22)
- RE: Unknown App okrehel (Jul 21)
- RE: Unknown App Aleksander P. Czarnowski (Jul 21)
- RE: Unknown App Lyal Collins (Jul 22)
- Re: Unknown App ilaiy (Jul 21)
- RE: Unknown App Jarmon, Don R (Jul 21)
- RE: Unknown App Andre Protas (Jul 21)
- RE:Unknown App Jordan Del-Grande (Jul 21)
- RE: Unknown App Womack, Quintin T - Raleigh, NC - Contractor (Jul 21)
(Thread continues...)
- Unknown App Scott Fuhriman (Jul 21)