RE: Hidden windows ports, files and services.
From: Paul Marsh (pmarsh_at_nmefdn.org)
Date: 02/15/05
- Previous message: Michael Sztachanski: "Re: RealVNC Security"
- Maybe in reply to: Paul Kurczaba: "RE: Hidden windows ports, files and services."
- Next in thread: Alex Yan: "RE: Hidden windows ports, files and services."
- Reply: Alex Yan: "RE: Hidden windows ports, files and services."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 15 Feb 2005 09:17:49 -0500 To: "Alex Yan" <drcyyan@yahoo.com>, <security-basics@securityfocus.com>
Alex:
This is very interesting and hopefully you can do a little more
investigation before you nuke and rebuild. You did an netstat -bano and
found two processes running listening on port 21. Try a TASKLIST /SVC
at a command prompt to see if you can identify the executable. I'd do a
complete port scan on the system to see what else is happening try NMAP
http://www.insecure.org/nmap/ against your system on all 65K ports TCP
and UDP. I'd also run Ethereal http://www.ethereal.com/ on the system
to see if anything is trying to call home or if anything is trying to
get in. I'm hoping with the list of listening ports and capturing some
traffic we can identify what's cook'in. Another good source of info can
be found at
http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_an
d_Rootkit_Tools_in_a_Windows_Environment.html
Please keep us up to date as to what you find.
Thanx
-----Original Message-----
From: Alex Yan [mailto:drcyyan@yahoo.com]
Sent: Monday, February 14, 2005 2:39 PM
To: H Carvey; security-basics@securityfocus.com
Subject: Re: Hidden windows ports, files and services.
Hi all,
Thanks a lot for your help.
On weekend I tried some suggested options, but still didn't get much
yet.
Scanned the system using the latest Norton AV and Stinger in the safe
mode. Nothing came out.
Run "netstat -baon". It gives process IDs and program names for other
processes. For the processes related to port 21, it says "No ownership
information can be found".
Tried fport, cport, process explorer, etc, but no luck.
"telnet 127.0.0.1 21" gives prompt "220 ." and then times out in 15
seconds. No telnet service was found in Windows service list.
Tonight I will follow the Mark's suggestions step by step and see if I
can get something. I will also try other options. If anything came out,
I will let you know.
I am a software developer, more on Unix, not so familiar with Windows
registry and all kinds of services and processes on XP. If I can not
find the problem and fix it, I have to reformat the system. But even
after reformating, there is still a chance that the system could not be
totally clean, because I have to restore some critical data from the
backup.
Thanks again.
Alex
- Previous message: Michael Sztachanski: "Re: RealVNC Security"
- Maybe in reply to: Paul Kurczaba: "RE: Hidden windows ports, files and services."
- Next in thread: Alex Yan: "RE: Hidden windows ports, files and services."
- Reply: Alex Yan: "RE: Hidden windows ports, files and services."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
