RE: Hidden windows ports, files and services.
From: Edy Lie (email_at_edylie.net)
Date: 02/11/05
- Previous message: Lepore, Brian: "RE: Programming"
- In reply to: Alex Yan: "RE: Hidden windows ports, files and services."
- Next in thread: Endre Szekely: "RE: Hidden windows ports, files and services."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Alex Yan'" <drcyyan@yahoo.com>, "'Paul Kurczaba'" <seclists@securinews.com>, <security-basics@securityfocus.com> Date: Fri, 11 Feb 2005 18:55:51 +0800
Hi Alex,
Install a packet sniffer on it for example ethereal and once the attacker
login, you will be able to figure out the credential and stuffs he is doing.
Cheers,
Edy
-----Original Message-----
From: Alex Yan [mailto:drcyyan@yahoo.com]
Sent: Friday, February 11, 2005 4:27 AM
To: Paul Kurczaba; security-basics@securityfocus.com
Subject: RE: Hidden windows ports, files and services.
Hi Paul,
I'll try it. I tried to "ftp" to the infected machine
and connection is OK. I can't login because I don't
know the username/password.
Thanks
Alex
--- Paul Kurczaba <seclists@securinews.com> wrote:
> Open up a command prompt. Type "telnet 127.0.0.1
> 21". What does the banner
> say?
>
> -Paul
>
> -----Original Message-----
> From: Alex Yan [mailto:drcyyan@yahoo.com]
> Sent: Thursday, February 10, 2005 9:17 PM
> To: security-basics@securityfocus.com
> Subject: Re: Hidden windows ports, files and
> services.
>
> In-Reply-To: <41C74BAA.4060400@cs.virginia.edu>
>
> Hi ALL,
>
> Could anyone help me for the similar problem. I have
> a PC with XP prof. A
> hidden ftp process/service is running. Using
> "netstat -aon", I can see two
> entries:
>
> Proto Local Address Foreign Address State PID
> TCP 0.0.0.0:21 0.0.0.0:0 LISTENING 86
> TCP 0.0.0.0:21 0.0.0.0:0 LISTENING 420
>
> The process IDs can not be found via taskmanager,
> tasklist and pslist.
> The XP srvice manager didn't give any clue. What
> tools can I use to detect
> the process/program and how can I kill this hidden
> process. How can I clean
> up the computer.
>
> Any help would be greatly appreciated.
>
> Thanks very much.
>
> Alex Yan
>
>
>
> >Received: (qmail 1241 invoked from network); 20 Dec
> 2004 22:37:09 -0000
> >Received: from outgoing.securityfocus.com (HELO
> >outgoing2.securityfocus.com) (205.206.231.26)
> > by mail.securityfocus.com with SMTP; 20 Dec 2004
> 22:37:09 -0000
> >Received: from lists.securityfocus.com
> (lists.securityfocus.com
> [205.206.231.19])
> > by outgoing2.securityfocus.com (Postfix) with QMQP
> > id 875A214373C; Mon, 20 Dec 2004 15:06:22 -0700
> (MST)
> >Mailing-List: contact
> security-basics-help@securityfocus.com; run by
> >ezmlm
> >Precedence: bulk
> >List-Id:
> <security-basics.list-id.securityfocus.com>
> >List-Post:
> <mailto:security-basics@securityfocus.com>
> >List-Help:
> <mailto:security-basics-help@securityfocus.com>
> >List-Unsubscribe:
>
><mailto:security-basics-unsubscribe@securityfocus.com>
> >List-Subscribe:
> <mailto:security-basics-subscribe@securityfocus.com>
> >Delivered-To: mailing list
> security-basics@securityfocus.com
> >Delivered-To: moderator for
> security-basics@securityfocus.com
> >Received: (qmail 13730 invoked from network); 20
> Dec 2004 22:00:43
> >-0000
> >Message-ID: <41C74BAA.4060400@cs.virginia.edu>
> >Date: Mon, 20 Dec 2004 17:01:14 -0500
> >From: Mark Reis <mcr2z@cs.virginia.edu>
> >User-Agent: Mozilla Thunderbird 1.0
> (Windows/20041206)
> >X-Accept-Language: en-us, en
> >MIME-Version: 1.0
> >Cc: security-basics@securityfocus.com
> >Subject: Re: Hidden windows ports, files and
> services.
> >References:
>
><8AAB5E48C043704B8F1B835DD8F0A44602B49A@ROBIN.eightinonepet.com>
> >In-Reply-To:
>
><8AAB5E48C043704B8F1B835DD8F0A44602B49A@ROBIN.eightinonepet.com>
> >Content-Type: text/plain; charset=ISO-8859-1;
> format=flowed
> >Content-Transfer-Encoding: 7bit
> >
> >Hello Again,
> >
> >I've discovered the answer to part 2 - the machine
> was infected by a
> >root kit that was intercepting all of system calls
> being issued by -
> >active ports, fport and such. I actually found
> myself being quite
> >impressed by this kit. Even running Dependency
> Walker and comparing it
> >with my test machine was negative.
> >
> >The first clue was when I was inspecting the
> attributes on the system
> >dll, I found some discrepancies on the flags. This
> led to me ultimately
> >finding multiple duplicate DLLs in
> c:\windows\system32 called
> >somedll.dll.tmp. What it appeared to being doing
> was returning the
> >sizes and values of the original backed up files -
> thus masking the true
> trojans.
> >
> >-Mark
> >
>
>
>
__________________________________
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail
-- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.8.7 - Release Date: 2/10/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.8.7 - Release Date: 2/10/2005
- Previous message: Lepore, Brian: "RE: Programming"
- In reply to: Alex Yan: "RE: Hidden windows ports, files and services."
- Next in thread: Endre Szekely: "RE: Hidden windows ports, files and services."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
