RE: Hidden windows ports, files and services.

From: Alex Yan (drcyyan_at_yahoo.com)
Date: 02/10/05

  • Next message: Jediah: "RE: Antivirus Comparison" 
    Date: Thu, 10 Feb 2005 12:27:04 -0800 (PST)
To: Paul Kurczaba <seclists@securinews.com>, security-basics@securityfocus.com

    Hi Paul,

    I'll try it. I tried to "ftp" to the infected machine
    and connection is OK. I can't login because I don't
    know the username/password.

    Thanks
    Alex
     
    --- Paul Kurczaba <seclists@securinews.com> wrote:

    > Open up a command prompt. Type "telnet 127.0.0.1
    > 21". What does the banner
    > say?
    >
    > -Paul
    >
    > -----Original Message-----
    > From: Alex Yan [mailto:drcyyan@yahoo.com]
    > Sent: Thursday, February 10, 2005 9:17 PM
    > To: security-basics@securityfocus.com
    > Subject: Re: Hidden windows ports, files and
    > services.
    >
    > In-Reply-To: <41C74BAA.4060400@cs.virginia.edu>
    >
    > Hi ALL,
    >
    > Could anyone help me for the similar problem. I have
    > a PC with XP prof. A
    > hidden ftp process/service is running. Using
    > "netstat -aon", I can see two
    > entries:
    >
    > Proto Local Address Foreign Address State PID
    > TCP 0.0.0.0:21 0.0.0.0:0 LISTENING 86
    > TCP 0.0.0.0:21 0.0.0.0:0 LISTENING 420
    >
    > The process IDs can not be found via taskmanager,
    > tasklist and pslist.
    > The XP srvice manager didn't give any clue. What
    > tools can I use to detect
    > the process/program and how can I kill this hidden
    > process. How can I clean
    > up the computer.
    >
    > Any help would be greatly appreciated.
    >
    > Thanks very much.
    >
    > Alex Yan
    >
    >
    >
    > >Received: (qmail 1241 invoked from network); 20 Dec
    > 2004 22:37:09 -0000
    > >Received: from outgoing.securityfocus.com (HELO
    > >outgoing2.securityfocus.com) (205.206.231.26)
    > > by mail.securityfocus.com with SMTP; 20 Dec 2004
    > 22:37:09 -0000
    > >Received: from lists.securityfocus.com
    > (lists.securityfocus.com
    > [205.206.231.19])
    > > by outgoing2.securityfocus.com (Postfix) with QMQP
    > > id 875A214373C; Mon, 20 Dec 2004 15:06:22 -0700
    > (MST)
    > >Mailing-List: contact
    > security-basics-help@securityfocus.com; run by
    > >ezmlm
    > >Precedence: bulk
    > >List-Id:
    > <security-basics.list-id.securityfocus.com>
    > >List-Post:
    > <mailto:security-basics@securityfocus.com>
    > >List-Help:
    > <mailto:security-basics-help@securityfocus.com>
    > >List-Unsubscribe:
    >
    ><mailto:security-basics-unsubscribe@securityfocus.com>
    > >List-Subscribe:
    > <mailto:security-basics-subscribe@securityfocus.com>
    > >Delivered-To: mailing list
    > security-basics@securityfocus.com
    > >Delivered-To: moderator for
    > security-basics@securityfocus.com
    > >Received: (qmail 13730 invoked from network); 20
    > Dec 2004 22:00:43
    > >-0000
    > >Message-ID: <41C74BAA.4060400@cs.virginia.edu>
    > >Date: Mon, 20 Dec 2004 17:01:14 -0500
    > >From: Mark Reis <mcr2z@cs.virginia.edu>
    > >User-Agent: Mozilla Thunderbird 1.0
    > (Windows/20041206)
    > >X-Accept-Language: en-us, en
    > >MIME-Version: 1.0
    > >Cc: security-basics@securityfocus.com
    > >Subject: Re: Hidden windows ports, files and
    > services.
    > >References:
    >
    ><8AAB5E48C043704B8F1B835DD8F0A44602B49A@ROBIN.eightinonepet.com>
    > >In-Reply-To:
    >
    ><8AAB5E48C043704B8F1B835DD8F0A44602B49A@ROBIN.eightinonepet.com>
    > >Content-Type: text/plain; charset=ISO-8859-1;
    > format=flowed
    > >Content-Transfer-Encoding: 7bit
    > >
    > >Hello Again,
    > >
    > >I've discovered the answer to part 2 - the machine
    > was infected by a
    > >root kit that was intercepting all of system calls
    > being issued by -
    > >active ports, fport and such. I actually found
    > myself being quite
    > >impressed by this kit. Even running Dependency
    > Walker and comparing it
    > >with my test machine was negative.
    > >
    > >The first clue was when I was inspecting the
    > attributes on the system
    > >dll, I found some discrepancies on the flags. This
    > led to me ultimately
    > >finding multiple duplicate DLLs in
    > c:\windows\system32 called
    > >somedll.dll.tmp. What it appeared to being doing
    > was returning the
    > >sizes and values of the original backed up files -
    > thus masking the true
    > trojans.
    > >
    > >-Mark
    > >
    >
    >
    >

            
                    
    __________________________________
    Do you Yahoo!?
    Yahoo! Mail - You care about security. So do we.
    http://promotions.yahoo.com/new_mail

  • Next message: Jediah: "RE: Antivirus Comparison"

    Relevant Pages

    • RE: Rehat 8 - How to Setup FTP Server
      ... I have no idea what is going on - its a fresh install of RH8 in server mode - and I can't get vsftp to run. ... Rehat 8 - How to Setup FTP Server ... Do you Yahoo!? ...
      (RedHat)
    • Re: RH9 VSFTP Chroot Problem
      ... > I'm running RH9 with VSFTP and I'm trying to make it ... > And now when I ftp in it simply puts everyone in the ... > Do you Yahoo!? ... Get your refund fast by filing online. ...
      (RedHat)
    • Re: RH9 VSFTP Chroot Problem
      ... > I'm running RH9 with VSFTP and I'm trying to make it ... > And now when I ftp in it simply puts everyone in the ... > Do you Yahoo!? ... Get your refund fast by filing online. ...
      (RedHat)
    • RE: Rehat 8 - How to Setup FTP Server
      ... Did you make sure that xinetd was turned on: ... If http and ftp are running you'll see them listening on their associated ... easy-to-use web site design software ... Do you Yahoo!? ...
      (RedHat)
    • Re: Rehat 8 - How to Setup FTP Server
      ... it just says I need to enable xinetd - but that is already enabled.... ... did you enable the vsftp service? ... Rehat 8 - How to Setup FTP Server ... Do you Yahoo!? ...
      (RedHat)
    • Quantcast