Re: NT Compromise

From: Christine Merey (cmerey2@algorithmics.com)
Date: 12/19/01 

From: Christine Merey <cmerey2@algorithmics.com>
Date: Wed, 19 Dec 2001 16:38:44 -0500
To: incidents@securityfocus.com

>
> -----Original Message-----
> From: Eric Hines [mailto:eric3+@pitt.edu]
> Sent: Wednesday, December 19, 2001 2:46 PM
> To: incidents@securityfocus.com
> Subject: NT Compromise
>
>
> Hey all,
>
> I am responding to several compromised NT boxes and am trying to find a
> utility that will allow you to see what program is bound to a particular
> port. I think I've seen one that shows what ports are bound to
> command.com, but need something similar for other programs/trojans/etc.
> Is there something available? Has anyone seen a compromised NT box with
> port 6667 open that does not seem to be running an IRCD? Check out the
> below snippit from netstat. I've tried connecting to the 6667 port with
> MiRC.. Nothing at all! I need to find out what process/application
> opened this port. On this note, can anyone recommend a good forensics
> toolkit for Windows to be used on compromised machines?
>
> C:\ netstat -an
> -- snip --
> TCP 0.0.0.0:6666 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:6667 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:6668 0.0.0.0:0 LISTENING
> -- snap --
>

Try Arne Vidstrom's inzider to get an "lsof" type of information on NT/2000:
www.ntsecurity.nu/toolbox/inzider, it will tell you port/app mappings.

Secondly, check out www.sysinternals.com - they have a gold mine of free tools
that will give you the skinny on your NT box - in particular to find what
this app is, look at: TDIMon for network connections, and Process Explorer
for all processes running on your system (obviously, if it doesn't show
your 6667 listener then it's hidden.).

Chris.

Christine Merey
Security Administrator
Toronto, Ontario
cmerey@algorithmics.com
PGP Key-ID: 0x880E574A

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • RE: NT Compromise
    ... TCP port 6667 and 6668 are used for IRC. ... to this it seems that your server might have connection to one of IRC ... Subject: NT Compromise ... has timed out a request to STEELSRV. ...
    (Incidents)
  • Re: Bind Listening on port 32768
    ... Bind Listening on port 32768 ... For example my named is using port 1025 for sending queries. ... If you're concerned about avoiding compromise (most of us on this list ...
    (Focus-Linux)
  • Re: 8081 port problem
    ... > I use RH7.3 with apache server. ... > off this port) and make my network and machine very very slow. ... likelihood that your box has been compromised by a hacker. ... If you are suspicious of a compromise, the first thing you need to do is ...
    (comp.os.linux.security)
  • can opening up port 6346 for gnutella compromise my box?
    ... I want to use gnutella on my RH7.2 box but I'm not sure if it will ... compromise my security, or if it will, how much. ... listen to that port ... ...
    (comp.os.linux.security)
  • Re: how often do 0-days REALLY happen?
    ... people rarly use 0-day's unless every other avenue of compromise is ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)