Re: Hidden windows ports, files and services.

From: Alex Yan (drcyyan_at_yahoo.com)
Date: 02/11/05

  • Next message: David J ONEILL: "RE: Programming" 
    Date: 11 Feb 2005 02:17:28 -0000
To: security-basics@securityfocus.com
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <41C74BAA.4060400@cs.virginia.edu>

    Hi ALL,

    Could anyone help me for the similar problem. I have a PC with XP prof. A hidden ftp process/service is running. Using "netstat -aon", I can see
    two entries:

    Proto Local Address Foreign Address State PID
    TCP 0.0.0.0:21 0.0.0.0:0 LISTENING 86
    TCP 0.0.0.0:21 0.0.0.0:0 LISTENING 420

    The process IDs can not be found via taskmanager, tasklist and pslist.
    The XP srvice manager didn't give any clue. What tools can I use to detect
    the process/program and how can I kill this hidden process. How can I
    clean up the computer.

    Any help would be greatly appreciated.

    Thanks very much.

    Alex Yan

    >Received: (qmail 1241 invoked from network); 20 Dec 2004 22:37:09 -0000
    >Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26)
    > by mail.securityfocus.com with SMTP; 20 Dec 2004 22:37:09 -0000
    >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
    > by outgoing2.securityfocus.com (Postfix) with QMQP
    > id 875A214373C; Mon, 20 Dec 2004 15:06:22 -0700 (MST)
    >Mailing-List: contact security-basics-help@securityfocus.com; run by ezmlm
    >Precedence: bulk
    >List-Id: <security-basics.list-id.securityfocus.com>
    >List-Post: <mailto:security-basics@securityfocus.com>
    >List-Help: <mailto:security-basics-help@securityfocus.com>
    >List-Unsubscribe: <mailto:security-basics-unsubscribe@securityfocus.com>
    >List-Subscribe: <mailto:security-basics-subscribe@securityfocus.com>
    >Delivered-To: mailing list security-basics@securityfocus.com
    >Delivered-To: moderator for security-basics@securityfocus.com
    >Received: (qmail 13730 invoked from network); 20 Dec 2004 22:00:43 -0000
    >Message-ID: <41C74BAA.4060400@cs.virginia.edu>
    >Date: Mon, 20 Dec 2004 17:01:14 -0500
    >From: Mark Reis <mcr2z@cs.virginia.edu>
    >User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
    >X-Accept-Language: en-us, en
    >MIME-Version: 1.0
    >Cc: security-basics@securityfocus.com
    >Subject: Re: Hidden windows ports, files and services.
    >References: <8AAB5E48C043704B8F1B835DD8F0A44602B49A@ROBIN.eightinonepet.com>
    >In-Reply-To: <8AAB5E48C043704B8F1B835DD8F0A44602B49A@ROBIN.eightinonepet.com>
    >Content-Type: text/plain; charset=ISO-8859-1; format=flowed
    >Content-Transfer-Encoding: 7bit
    >
    >Hello Again,
    >
    >I've discovered the answer to part 2 - the machine was infected by a
    >root kit that was intercepting all of system calls being issued by -
    >active ports, fport and such. I actually found myself being quite
    >impressed by this kit. Even running Dependency Walker and comparing it
    >with my test machine was negative.
    >
    >The first clue was when I was inspecting the attributes on the system
    >dll, I found some discrepancies on the flags. This led to me ultimately
    >finding multiple duplicate DLLs in c:\windows\system32 called
    >somedll.dll.tmp. What it appeared to being doing was returning the sizes
    >and values of the original backed up files - thus masking the true trojans.
    >
    >-Mark
    >

  • Next message: David J ONEILL: "RE: Programming"

    Relevant Pages

    • RE: Hidden windows ports, files and services.
      ... Hidden windows ports, files and services. ... >root kit that was intercepting all of system calls being issued by - ... >The first clue was when I was inspecting the attributes on the system ...
      (Security-Basics)
    • Re: Hidden windows ports, files and services.
      ... root kit that was intercepting all of system calls being issued by - ... The first clue was when I was inspecting the attributes on the system ...
      (Security-Basics)
    • Quantcast