RE: Hidden windows ports, files and services.

From: Alex Yan (drcyyan_at_yahoo.com)
Date: 02/15/05

Next message: Dragos Ruiu: "Re: Programming"

Previous message: Gautam R. Singh: "Re: Clear text password vulnerability"
Maybe in reply to: Paul Kurczaba: "RE: Hidden windows ports, files and services."
Next in thread: Paul Marsh: "RE: Hidden windows ports, files and services."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 15 Feb 2005 08:36:32 -0800 (PST)
To: Paul Marsh <pmarsh@nmefdn.org>, security-basics@securityfocus.com

About six months.

--- Paul Marsh <pmarsh@nmefdn.org> wrote:

> Alex:
>
> Some red flags popped up as soon as I read your
> last email. "I
> didn't configure it right till last weekend" How
> long had the system
> been up and running configured incorrectly?
>
> Thanx, Paul
>
> -----Original Message-----
> From: Alex Yan [mailto:drcyyan@yahoo.com]
> Sent: Tuesday, February 15, 2005 11:20 AM
> To: Paul Marsh; security-basics@securityfocus.com
> Subject: RE: Hidden windows ports, files and
> services.
>
> Paul,
>
> I have Verizon DSL with a Linksys router (BEFS41 ?).
> I didn't configure
> it right till last weekend. The firewall and port
> blocking were not
> working properly before. I did try the XP ftp server
> and SERV-U ftp.
> But I already removed these components. Under IIS,
> there are no services
> running now. As you suggested, I can try remove IIS
> component.
>
> Thanks
> Alex
>
> --- Paul Marsh <pmarsh@nmefdn.org> wrote:
>
> > Alex:
> >
> > Are you running IIS on the system in question?
> Are you running
> FTP
> > along with IIS? If you don't need them add/remove
> programs,
> > add/remove Windows Components uncheck IIS and
> click next, reboot and
> > do a netstat -bano and see what's listening now.
> What kind of a
> > internet connection do you have, broadband maybe?
> >
> > Thanx, Paul
> >
> > -----Original Message-----
> > From: Alex Yan [mailto:drcyyan@yahoo.com]
> > Sent: Tuesday, February 15, 2005 10:17 AM
> > To: Paul Marsh; security-basics@securityfocus.com
> > Subject: RE: Hidden windows ports, files and
> services.
> >
> > Hi Paul,
> >
> > I did run TASKLIST before without "/SVC" The
> processes are invisible
> > to this command.
> >
> > Last night, I checked Recycler, system32, system,
> etc, but didn't get
> > much.
> >
> > I run TCPVIEW and got two set of interesting
> entries with
> > non-existent:
> >
> > <non-existent>:348 local:ftp LISTENING
> > <non-existent>:348 local:https LISTENING
> > <non-existent>:348 local:6101 LISTENING
> >
> > <non-existent>:1740 local:ftp LISTENING
> > <non-existent>:1740 local:https LISTENING
> > <non-existent>:1740 local:6101 LISTENING
> >
> > These can be seen from "netstat" too. But I can't
> kill these processes
>
> > using TCPVIEW. I tried to kill other regular
> processes, it's OK.
> >
> > Using "msconfig", I disabled sys.ini and win.ini,
> stopped to load
> > startup programs and disabled all services loading
> except those from
> > Microsoft for a clean boot. But these processes
> are still there.
> >
> > I also disabled some MS services like IIS,
> Plug/Play.
> > Web Client, etc. No luck. After I disabled "DHCP",
> processes are gone.
> > But after "DHCP" was disabled, almost all other
> processes are gone
> > too.
> >
> > Next step, maybe I should do something on
> registry.
> >
> > Thanks
> > Alex
> >
> >
> > --- Paul Marsh <pmarsh@nmefdn.org> wrote:
> >
> > > Alex:
> > >
> > > This is very interesting and hopefully you can
> do
> > a little more
> > > investigation before you nuke and rebuild. You
> > did an netstat -bano
> > > and found two processes running listening on
> port
> > 21.
> > > Try a TASKLIST /SVC
> > > at a command prompt to see if you can identify
> the
> > executable. I'd do
> >
> > > a complete port scan on the system to see what
> > else is happening try
> > > NMAP http://www.insecure.org/nmap/ against your
> > system on all 65K
> > > ports TCP and UDP. I'd also run Ethereal
> > http://www.ethereal.com/ on
> > > the system to see if anything is trying to call
> > home or if anything is
> >
> > > trying to get in. I'm hoping with the list of
> > listening ports and
> > > capturing some traffic we can identify what's
> > cook'in. Another good
> > > source of info can be found at
> > >
> >
>
http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_an
> > > d_Rootkit_Tools_in_a_Windows_Environment.html
> > >
> > > Please keep us up to date as to what you find.
> > >
> > > Thanx
> > >
> > > -----Original Message-----
> > > From: Alex Yan [mailto:drcyyan@yahoo.com]
> > > Sent: Monday, February 14, 2005 2:39 PM
> > > To: H Carvey; security-basics@securityfocus.com
> > > Subject: Re: Hidden windows ports, files and
> > services.
> > >
> > > Hi all,
> > >
> > > Thanks a lot for your help.
> > > On weekend I tried some suggested options, but
> > still didn't get much
> > > yet.
> > >
> > > Scanned the system using the latest Norton AV
> and
> > Stinger in the safe
> > > mode. Nothing came out.
> > >
> > > Run "netstat -baon". It gives process IDs and
> > program names for other
> > > processes. For the processes related to port 21,
> > it says "No ownership
> >
> > > information can be found".
> > >
> > > Tried fport, cport, process explorer, etc, but
> no
> > luck.
> > >
> > > "telnet 127.0.0.1 21" gives prompt "220 ." and
> > then times out in 15
> > > seconds. No telnet service was found in Windows
> > service list.
> > >
> > > Tonight I will follow the Mark's suggestions
> step
> > by step and see if I
> >
> > > can get something. I will also try other
> options.
> > If anything came
> > > out, I will let you know.
> > >
> > > I am a software developer, more on Unix, not so
> > familiar with Windows
> > > registry and all kinds of services and processes
> > on XP. If I can not
> > > find the problem and fix it, I have to reformat
> > the system. But even
> > > after reformating, there is still a chance that
> > the system could not
> > > be totally clean, because I have to restore some
> > critical data from
>
=== message truncated ===

__________________________________
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail

Next message: Dragos Ruiu: "Re: Programming"

Previous message: Gautam R. Singh: "Re: Clear text password vulnerability"
Maybe in reply to: Paul Kurczaba: "RE: Hidden windows ports, files and services."
Next in thread: Paul Marsh: "RE: Hidden windows ports, files and services."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Changing the way IIS answers to PASV commands?
... it's not an IIS FTP issue. ... translating address and port from external request to ... I can add my internet IP address as a secondary IP harmlessly ...
(microsoft.public.inetserver.iis.ftp)
Re: IIS5 Passive FTP Networking problem (long)
... > Yes, it is within the port range, to calculate it. ... > Information About the IIS File Transmission Protocol (FTP) Service ... That leaves me only with the client side Microsoft Base Station router ...
(microsoft.public.inetserver.iis.security)
Re: Changing the way IIS answers to PASV commands?
... I managed to fix the passive port ... I just need to tell IIS ... require an additional computer to give my FTP server an IP address the same ...
(microsoft.public.inetserver.iis.ftp)
Re: Connected to to FPT server but cant list folder or files!
... In IIS Managers on my W2003 server, ftp is set to port 21. ...
(microsoft.public.inetserver.iis.ftp)
Re: WinCE 5.0 FTP server customization question...
... Paul --- ... Rebuilding the FTP server is definitely a possibility, ... registry-based way to change the port; ...
(microsoft.public.windowsce.platbuilder)