Re: Hidden windows ports, files and services.
From: Security (security_at_sustainedhits.com)
To: <firstname.lastname@example.org> Date: Fri, 11 Feb 2005 15:28:35 -0500
You might find this helpful:
I really doubt a different tool like Fprot would do much but show the same
thing he's getting through netstat if the system calls are being hooked to
hide the process using the standard methods.
You need to get those processes (at least the one(s) that have port 21 open)
so they will display in the regular task manager list by cleaning out
whatever is hiding them, then determine what it was hiding. If it doesn't
show up in task manager, you can be pretty sure there is a rootkit
intercepting vital system calls and hiding processes from being
shown/killed/etc. - the only reason he stumbled upon it is because they were
too sloppy to hide the port from netstat too.
----- Original Message -----
From: "Nick Duda" <nduda@VistaPrint.com>
To: "Paul Kurczaba" <email@example.com>; "Alex Yan"
Sent: Friday, February 11, 2005 5:23 AM
Subject: RE: Hidden windows ports, files and services.
> Use Fport to detect the proc.
> - Nick
> -----Original Message-----
> From: Paul Kurczaba [mailto:firstname.lastname@example.org]
> Sent: Thu 2/10/2005 3:09 PM
> To: 'Alex Yan'; email@example.com
> Subject: RE: Hidden windows ports, files and services.
> Open up a command prompt. Type "telnet 127.0.0.1 21". What does the banner
> -----Original Message-----
> From: Alex Yan [mailto:firstname.lastname@example.org]
> Sent: Thursday, February 10, 2005 9:17 PM
> To: email@example.com
> Subject: Re: Hidden windows ports, files and services.
> In-Reply-To: <41C74BAA.firstname.lastname@example.org>
> Hi ALL,
> Could anyone help me for the similar problem. I have a PC with XP prof. A
> hidden ftp process/service is running. Using "netstat -aon", I can see two
> Proto Local Address Foreign Address State PID
> TCP 0.0.0.0:21 0.0.0.0:0 LISTENING 86
> TCP 0.0.0.0:21 0.0.0.0:0 LISTENING 420
> The process IDs can not be found via taskmanager, tasklist and pslist.
> The XP srvice manager didn't give any clue. What tools can I use to detect
> the process/program and how can I kill this hidden process. How can I
> up the computer.
> Any help would be greatly appreciated.
> Thanks very much.
> Alex Yan
> >Received: (qmail 1241 invoked from network); 20 Dec 2004 22:37:09 -0000
> >Received: from outgoing.securityfocus.com (HELO
> >outgoing2.securityfocus.com) (126.96.36.199)
> > by mail.securityfocus.com with SMTP; 20 Dec 2004 22:37:09 -0000
> >Received: from lists.securityfocus.com (lists.securityfocus.com
> > by outgoing2.securityfocus.com (Postfix) with QMQP
> > id 875A214373C; Mon, 20 Dec 2004 15:06:22 -0700 (MST)
> >Mailing-List: contact email@example.com; run by
> >Precedence: bulk
> >List-Id: <security-basics.list-id.securityfocus.com>
> >List-Post: <mailto:firstname.lastname@example.org>
> >List-Help: <mailto:email@example.com>
> >List-Subscribe: <mailto:firstname.lastname@example.org>
> >Delivered-To: mailing list email@example.com
> >Delivered-To: moderator for firstname.lastname@example.org
> >Received: (qmail 13730 invoked from network); 20 Dec 2004 22:00:43
> >Message-ID: <41C74BAA.email@example.com>
> >Date: Mon, 20 Dec 2004 17:01:14 -0500
> >From: Mark Reis <firstname.lastname@example.org>
> >User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
> >X-Accept-Language: en-us, en
> >MIME-Version: 1.0
> >Cc: email@example.com
> >Subject: Re: Hidden windows ports, files and services.
> >Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> >Content-Transfer-Encoding: 7bit
> >Hello Again,
> >I've discovered the answer to part 2 - the machine was infected by a
> >root kit that was intercepting all of system calls being issued by -
> >active ports, fport and such. I actually found myself being quite
> >impressed by this kit. Even running Dependency Walker and comparing it
> >with my test machine was negative.
> >The first clue was when I was inspecting the attributes on the system
> >dll, I found some discrepancies on the flags. This led to me ultimately
> >finding multiple duplicate DLLs in c:\windows\system32 called
> >somedll.dll.tmp. What it appeared to being doing was returning the
> >sizes and values of the original backed up files - thus masking the true