RE: Hidden windows ports, files and services.

From: Justin Acquaro (JAcquaro_at_csmcorp.com)
Date: 12/20/04

  • Next message: Egemen Tas: "Re: Hidden windows ports, files and services." 
    Date: Mon, 20 Dec 2004 14:13:57 -0500
To: "Mark Reis" <mcr2z@cs.virginia.edu>

    Hey Mark,
            Hidden Files:
                    I was able to list the directory structure under
    RECYCLER in windows XP SP2 by going to TOOLS --> Folder Options --> View
    and un-checking "Hide protected operating system files". This should
    also apply for IE's cache.

            Hidden Processes:
                    If you can't see the port on the local machine it might
    be the work of a root kit of some sort. (rootkit.com) they have a lot of
    information about NT root kits both discovering and creating. I would
    boot to safe mode where you are running the absolute bare minimum and
    check your startup methods to see if there is anything suspicious
    loading up.

    Justin

    |-----Original Message-----
    |From: Mark Reis [mailto:mcr2z@cs.virginia.edu]
    |Sent: Friday, December 17, 2004 3:33 PM
    |Cc: security-basics@securityfocus.com
    |Subject: Hidden windows ports, files and services.
    |
    |Hello,
    |
    |Being at a University, I get to deal with my fair share of compromised
    |machines. Over the past year or so, I've started to notice that hackers
    |are getting smarter along with Microsoft making things more complicated
    |with XP SP2. I'm hoping that other members of this list might be able
    to
    |help resolve or know of a work around.
    |
    |I'm not interested in discussion in how to secure these machines, I do
    |what I can within the inherent bureaucracy of the system. :)
    |
    |Hidden files:
    |
    |One of the most common things I see is hackers hiding a FTP server for
    |questionable material in the RECYCLER. Assume that I am logged in as
    the
    |local administrator, the machine is disconnected from the network, and
    |explorer has been set to show all files. The offending process has been
    |found and removed, and I'd like to analyze the ftp server. The default
    |behavior of Windows XP is to hide the contents of the C:\RECYCLER\UID.
    |Prior to XP SP2, I used to be able to go through the c$ share and see
    |the contents via \\machine\c$\recycler\UID. However with XP SP2, this
    |option was removed. Ultimately, I now need to download and use cygwin
    to
    |list the directory contents.
    |
    |Does anyone know how to get XP to show *everything* - The same thing
    |applies to XP hiding the IE cache.
    |
    |
    |Hidden Process:
    |
    |A machine was recently compromised and the only way I was aware of this
    |was by doing an nmap port scan of the system. NMAP 3.75 showed a ftp
    |server on a non-standard port. Using ncftp, I was able to connect to
    |this server.
    |
    |ncftp -P 1475 compromised machine -u anonymous
    |NcFTP 3.1.7 (Jan 07, 2004) by Mike Gleason
    (http://www.NcFTP.com/contact/).
    |Connecting to ....
    |
    |FTP Server ready.
    |Login incorrect.
    |
    |Sleeping 20 seconds...
    |
    |However, when in front of the machine, I've run Active Ports, Fport and
    |TCPView. None of which list a process as listening on that port. I even
    |downloaded fresh version of each and tried again. No luck. This is
    quite
    |disturbing...
    |
    |Does anyone have a suggestion on how to determine what process this is?
    |
    |Thank you,
    |Mark Reis

  • Next message: Egemen Tas: "Re: Hidden windows ports, files and services."