NT Compromise
From: Eric Hines (eric3+@pitt.edu)Date: 12/19/01
- Previous message: Dayne Jordan: "Re: *MAJOR SECURITY BREACH AT CCBILL**"
- Next in thread: Jignesh Pathak: "RE: NT Compromise"
- Reply: Jignesh Pathak: "RE: NT Compromise"
- Reply: Nexus: "Re: NT Compromise"
- Reply: Christine Merey: "Re: NT Compromise"
- Reply: H C: "Re: NT Compromise"
- Reply: Paulo Braga: "Re: NT Compromise"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 19 Dec 2001 14:45:43 -0500 From: Eric Hines <eric3+@pitt.edu> To: incidents@securityfocus.com
Hey all,
I am responding to several compromised NT boxes and am trying to find a
utility that will allow you to see what program is bound to a particular
port. I think I've seen one that shows what ports are bound to
command.com, but need something similar for other programs/trojans/etc.
Is there something available? Has anyone seen a compromised NT box with
port 6667 open that does not seem to be running an IRCD? Check out the
below snippit from netstat. I've tried connecting to the 6667 port with
MiRC.. Nothing at all! I need to find out what process/application
opened this port. On this note, can anyone recommend a good forensics
toolkit for Windows to be used on compromised machines?
C:\ netstat -an
-- snip --
TCP 0.0.0.0:6666 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6667 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6668 0.0.0.0:0 LISTENING
-- snap --
2nd Problem: Does anyone know what the REDIRECTOR in WindowsNT/2000 is?
I am seeing a compromised NT box full of such logs in the event/security
viewer. Logs have been pasted below. Notice all of the different
hostnames/machines its attempting to access. Add 70 something other
machines to the below list. What is it and is this a sign of a definate
compromise?
12/17/01 1:16:26 PM Rdr Warning None 3013 N/A INTERACT The redirector
has timed out a request to READING.
12/17/01 1:15:11 PM Rdr Warning None 3013 N/A INTERACT The redirector
has timed out a request to STEELSRV.
12/17/01 1:14:01 PM Rdr Warning None 3013 N/A INTERACT The redirector
has timed out a request to PUBLICSAFETY1.
12/17/01 1:12:51 PM Rdr Warning None 3013 N/A INTERACT The redirector
has timed out a request to ANITRA-00.
12/17/01 1:10:41 PM Rdr Warning None 3013 N/A INTERACT The redirector
has timed out a request to SRFS-PDC.
12/17/01 1:09:31 PM Rdr Warning None 3013 N/A INTERACT The redirector
has timed out a request to GODZILLA.
12/17/01 1:08:21 PM Rdr Warning None 3013 N/A INTERACT The redirector
has timed out a request to SDMWWW.
12/17/01 1:07:11 PM Rdr Warning None 3013 N/A INTERACT The redirector
has timed out a request to EXCHANGE.
12/17/01 1:06:01 PM Rdr Warning None 3013 N/A INTERACT The redirector
has timed out a request to PICASSO.
12/17/01 1:04:51 PM Rdr Warning None 3013 N/A INTERACT The redirector
has timed out a request to PITT-TV3.
12/17/01 1:03:51 PM Rdr Warning None 3013 N/A INTERACT The redirector
has timed out a request to COMPUTERZ.
12/17/01 1:02:36 PM Rdr Warning None 3013 N/A INTERACT The redirector
has timed out a request to SDMGENETICS1.
12/17/01 1:01:36 PM Rdr Warning None 3013 N/A INTERACT The redirector
has timed out a request to BOHNER2.
12/17/01 1:00:36 PM Rdr Warning None 3013 N/A INTERACT The redirector
has timed out a request to CALIBAN.
Please advise!
Eric
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Dayne Jordan: "Re: *MAJOR SECURITY BREACH AT CCBILL**"
- Next in thread: Jignesh Pathak: "RE: NT Compromise"
- Reply: Jignesh Pathak: "RE: NT Compromise"
- Reply: Nexus: "Re: NT Compromise"
- Reply: Christine Merey: "Re: NT Compromise"
- Reply: H C: "Re: NT Compromise"
- Reply: Paulo Braga: "Re: NT Compromise"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
