Re: [fw-wiz] OT? New compromise.



Date: Fri, 30 Mar 2007 13:09:58 -0500
From: Frank Knobbe <frank@xxxxxxxxx>
Subject: Re: [fw-wiz] OT? New compromise.
To: Firewall Wizards Security Mailing List
<firewall-wizards@xxxxxxxxxxxxxxxxxxxxx>
Cc: firewall-wizards@xxxxxxxxxxxxxxxxxxxxxxx
Message-ID: <1175278198.40136.36.camel@localhost>
Content-Type: text/plain; charset="us-ascii"

On Thu, 2007-03-29 at 17:12 -0400, Mike Barkett wrote:
On Windows
/c:\netstat -an |find /i "listening"/

There are tools like openports or the sysinternals set you may

Windows: netstat -aon
Linux: netstat -apn

Of course all these tools only work if the application uses the OS'es IP
stack. Any decent rootkitted malware, that puts it's on packets on the
wire and sniffs the responses promiscuously, won't show up in those
lists. You can see the packets with tcpdump/sniffers, but won't be able
to correlate them back to an application (unless you do some CPU
utilization sample and correlate that with the observed network traffic,
but you'd need to be able to see the app in the first place, so if it's
hidden by a rootkit, that won't help you either).

Just because nothing shows up in netstat doesn't mean that there isn't
an application promiscuously listening for data to that port.

Regards,
Frank


True, a rootkit is one possible explanation. In this case the traffic has
already been spotted on the network and thus requires explanation at the
host. Therefore, a netstat showing nothing is just as informative as one
that shows something bogus, which is just as informative as one that shows
the actual running application. Every outcome requires further digging
anyway. It is just one more data point that is only as valuable as the
skill level of the security professional analyzing it.

-MAB

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: Re[2]: Compromised Win2000 machine.
    ... BTW...Hoglund's rootkit is a good link, ... > HC> (netstat) will still be shown... ... > [Source code could be used to build a trojan ... > the NT kernel and applications, ...
    (Incidents)
  • Re: Help, possible rootkit
    ... information showing that you *do* have a rootkit. ... Did you find an open port via nmap that does not show ... a port that doesn't show up in the netstat output? ... "Windows Forensics and Incident Recovery" ...
    (Incidents)
  • Re: Box Cracked ( Was: thanks )
    ... anyone can identify anything odd/remarkable reading hte netstat -p output. ... What does netstat -putan | grep -i listen show? ... I don't know if a rootkit would be able to interfere with the output ... compromised kernel would be able to do that. ...
    (Fedora)
  • Re: Possible a Win2000 "port 80 only"
    ... step-by-step explanation. ... >> Netstat -na shows lots of ports open. ... > Jean-Baptiste Marchand ... > Real Unix Books are written with Troff ...
    (microsoft.public.win2000.security)
  • RE: How to find a process
    ... This will give you the Process ID for each socket connection. ... can then correlate that to processes in task manager. ... I believe it's netstat -p, ... with netstat i only see the ports daemons are listening ...
    (Security-Basics)