Re: Hidden windows ports, files and services.

From: Security (security_at_sustainedhits.com)
Date: 02/11/05

  • Next message: ma ab: "Trojan attacks Microsoft's anti-spyware program"
    To: <security-basics@securityfocus.com>
    Date: Fri, 11 Feb 2005 15:28:35 -0500
    
    

    You might find this helpful:
    http://home.arcor.de/scheinsicherheit/rootkits.htm

    I really doubt a different tool like Fprot would do much but show the same
    thing he's getting through netstat if the system calls are being hooked to
    hide the process using the standard methods.

    You need to get those processes (at least the one(s) that have port 21 open)
    so they will display in the regular task manager list by cleaning out
    whatever is hiding them, then determine what it was hiding. If it doesn't
    show up in task manager, you can be pretty sure there is a rootkit
    intercepting vital system calls and hiding processes from being
    shown/killed/etc. - the only reason he stumbled upon it is because they were
    too sloppy to hide the port from netstat too.

    ----- Original Message -----
    From: "Nick Duda" <nduda@VistaPrint.com>
    To: "Paul Kurczaba" <seclists@securinews.com>; "Alex Yan"
    <drcyyan@yahoo.com>; <security-basics@securityfocus.com>
    Sent: Friday, February 11, 2005 5:23 AM
    Subject: RE: Hidden windows ports, files and services.

    > Use Fport to detect the proc.
    >
    > - Nick
    >
    > -----Original Message-----
    > From: Paul Kurczaba [mailto:seclists@securinews.com]
    > Sent: Thu 2/10/2005 3:09 PM
    > To: 'Alex Yan'; security-basics@securityfocus.com
    > Cc:
    > Subject: RE: Hidden windows ports, files and services.
    >
    >
    >
    > Open up a command prompt. Type "telnet 127.0.0.1 21". What does the banner
    > say?
    >
    > -Paul
    >
    > -----Original Message-----
    > From: Alex Yan [mailto:drcyyan@yahoo.com]
    > Sent: Thursday, February 10, 2005 9:17 PM
    > To: security-basics@securityfocus.com
    > Subject: Re: Hidden windows ports, files and services.
    >
    > In-Reply-To: <41C74BAA.4060400@cs.virginia.edu>
    >
    > Hi ALL,
    >
    > Could anyone help me for the similar problem. I have a PC with XP prof. A
    > hidden ftp process/service is running. Using "netstat -aon", I can see two
    > entries:
    >
    > Proto Local Address Foreign Address State PID
    > TCP 0.0.0.0:21 0.0.0.0:0 LISTENING 86
    > TCP 0.0.0.0:21 0.0.0.0:0 LISTENING 420
    >
    > The process IDs can not be found via taskmanager, tasklist and pslist.
    > The XP srvice manager didn't give any clue. What tools can I use to detect
    > the process/program and how can I kill this hidden process. How can I
    > clean
    > up the computer.
    >
    > Any help would be greatly appreciated.
    >
    > Thanks very much.
    >
    > Alex Yan
    >
    >
    >
    > >Received: (qmail 1241 invoked from network); 20 Dec 2004 22:37:09 -0000
    > >Received: from outgoing.securityfocus.com (HELO
    > >outgoing2.securityfocus.com) (205.206.231.26)
    > > by mail.securityfocus.com with SMTP; 20 Dec 2004 22:37:09 -0000
    > >Received: from lists.securityfocus.com (lists.securityfocus.com
    > [205.206.231.19])
    > > by outgoing2.securityfocus.com (Postfix) with QMQP
    > > id 875A214373C; Mon, 20 Dec 2004 15:06:22 -0700 (MST)
    > >Mailing-List: contact security-basics-help@securityfocus.com; run by
    > >ezmlm
    > >Precedence: bulk
    > >List-Id: <security-basics.list-id.securityfocus.com>
    > >List-Post: <mailto:security-basics@securityfocus.com>
    > >List-Help: <mailto:security-basics-help@securityfocus.com>
    > >List-Unsubscribe:
    > ><mailto:security-basics-unsubscribe@securityfocus.com>
    > >List-Subscribe: <mailto:security-basics-subscribe@securityfocus.com>
    > >Delivered-To: mailing list security-basics@securityfocus.com
    > >Delivered-To: moderator for security-basics@securityfocus.com
    > >Received: (qmail 13730 invoked from network); 20 Dec 2004 22:00:43
    > >-0000
    > >Message-ID: <41C74BAA.4060400@cs.virginia.edu>
    > >Date: Mon, 20 Dec 2004 17:01:14 -0500
    > >From: Mark Reis <mcr2z@cs.virginia.edu>
    > >User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
    > >X-Accept-Language: en-us, en
    > >MIME-Version: 1.0
    > >Cc: security-basics@securityfocus.com
    > >Subject: Re: Hidden windows ports, files and services.
    > >References:
    > ><8AAB5E48C043704B8F1B835DD8F0A44602B49A@ROBIN.eightinonepet.com>
    > >In-Reply-To:
    > ><8AAB5E48C043704B8F1B835DD8F0A44602B49A@ROBIN.eightinonepet.com>
    > >Content-Type: text/plain; charset=ISO-8859-1; format=flowed
    > >Content-Transfer-Encoding: 7bit
    > >
    > >Hello Again,
    > >
    > >I've discovered the answer to part 2 - the machine was infected by a
    > >root kit that was intercepting all of system calls being issued by -
    > >active ports, fport and such. I actually found myself being quite
    > >impressed by this kit. Even running Dependency Walker and comparing it
    > >with my test machine was negative.
    > >
    > >The first clue was when I was inspecting the attributes on the system
    > >dll, I found some discrepancies on the flags. This led to me ultimately
    > >finding multiple duplicate DLLs in c:\windows\system32 called
    > >somedll.dll.tmp. What it appeared to being doing was returning the
    > >sizes and values of the original backed up files - thus masking the true
    > trojans.
    > >
    > >-Mark
    > >
    >
    >
    >
    >
    >


  • Next message: ma ab: "Trojan attacks Microsoft's anti-spyware program"

    Relevant Pages

    • Re: SQL Server does not exist or access denied.
      ... netstat -noa shows a bunch of local local processes, ... Dumb question first: The server is running? ... Look for the process ID of the server process in task manager. ... not being able to connect with port 1443. ...
      (microsoft.public.dotnet.languages.vb)
    • Re: Hidden windows ports, files and services.
      ... Use a personal firewall and block any connections to the port 21. ... > so they will display in the regular task manager list by cleaning out ... > whatever is hiding them, then determine what it was hiding. ...
      (Security-Basics)
    • Re: Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap:
      ... assuming netstat wasn't one of the programs ... listed there for port 1313 correspond to the PIDs chkproc spit out. ... all your services while you upgrade all the software that needs upgrading. ... > Every week or so I'll run chkrootkit, mostly just because I feel I ...
      (comp.os.linux.security)
    • RE: I think Ive been hacked...please help!
      ... > connecting within seconds of boot. ... port scanning the machine from the outside ... experience performing incident response activities, ... one will run netstat and see something listening on ...
      (Incidents)
    • Re: Help, my machine has been hacked
      ... >> also take a look at processes running in your system, ... >> opened (netstat -tupan), environment changesetc. ... If you provide port 80 to the outside ... filter invalid packets, in particular tcp scans with invalid flags, where ...
      (comp.os.linux.security)