RE: Hidden windows ports, files and services.
From: Paul Marsh (pmarsh_at_nmefdn.org)
Date: 02/15/05
- Previous message: Astalavista: "Astalavista.com Security Newsletter"
- Maybe in reply to: Paul Kurczaba: "RE: Hidden windows ports, files and services."
- Next in thread: H Carvey: "Re: Hidden windows ports, files and services."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 15 Feb 2005 11:59:31 -0500 To: "Alex Yan" <drcyyan@yahoo.com>, <security-basics@securityfocus.com>
How should I say this.........................................
NUKE IT
FDISK IT
DOD WIPE IT
BEAT THE HDD WITH A HAMMER
Sorry couldn't help it. If the system was on line unprotected and
mis-configured for six months as you say the box is 100% owned. The
only steps you can take is a complete system rebuild. I would be very
concerned with privacy issue on the system in question. Did you do any
on-line transaction, how many secure site that require username and
password have you visited in the past six months?
Back up all your important information. Completely nuke the
HDD, (DO NOT CONNECT TO THE INTERNET) Reinstall your OS (DO NOT CONNECT
TO THE INTERNET), Load all OS patches (DO NOT CONNECT TO THE INTERNET),
Install AV and make sure it's 100% up to date (DO NOT CONNECT TO THE
INTERNET), Firewall the system then you should be safe to connect to the
internet.
If you have the time prior to nuking the system it would be a
great learning tool to load ethereal on the system to see some of the
traffic.
Good Luck
Thanx, Paul
-----Original Message-----
From: Alex Yan [mailto:drcyyan@yahoo.com]
Sent: Tuesday, February 15, 2005 11:37 AM
To: Paul Marsh; security-basics@securityfocus.com
Subject: RE: Hidden windows ports, files and services.
About six months.
--- Paul Marsh <pmarsh@nmefdn.org> wrote:
> Alex:
>
> Some red flags popped up as soon as I read your last email. "I
> didn't configure it right till last weekend" How long had the system
> been up and running configured incorrectly?
>
> Thanx, Paul
>
> -----Original Message-----
> From: Alex Yan [mailto:drcyyan@yahoo.com]
> Sent: Tuesday, February 15, 2005 11:20 AM
> To: Paul Marsh; security-basics@securityfocus.com
> Subject: RE: Hidden windows ports, files and services.
>
> Paul,
>
> I have Verizon DSL with a Linksys router (BEFS41 ?).
> I didn't configure
> it right till last weekend. The firewall and port blocking were not
> working properly before. I did try the XP ftp server and SERV-U ftp.
> But I already removed these components. Under IIS, there are no
> services running now. As you suggested, I can try remove IIS
> component.
>
> Thanks
> Alex
>
> --- Paul Marsh <pmarsh@nmefdn.org> wrote:
>
> > Alex:
> >
> > Are you running IIS on the system in question?
> Are you running
> FTP
> > along with IIS? If you don't need them add/remove
> programs,
> > add/remove Windows Components uncheck IIS and
> click next, reboot and
> > do a netstat -bano and see what's listening now.
> What kind of a
> > internet connection do you have, broadband maybe?
> >
> > Thanx, Paul
> >
> > -----Original Message-----
> > From: Alex Yan [mailto:drcyyan@yahoo.com]
> > Sent: Tuesday, February 15, 2005 10:17 AM
> > To: Paul Marsh; security-basics@securityfocus.com
> > Subject: RE: Hidden windows ports, files and
> services.
> >
> > Hi Paul,
> >
> > I did run TASKLIST before without "/SVC" The
> processes are invisible
> > to this command.
> >
> > Last night, I checked Recycler, system32, system,
> etc, but didn't get
> > much.
> >
> > I run TCPVIEW and got two set of interesting
> entries with
> > non-existent:
> >
> > <non-existent>:348 local:ftp LISTENING
> > <non-existent>:348 local:https LISTENING
> > <non-existent>:348 local:6101 LISTENING
> >
> > <non-existent>:1740 local:ftp LISTENING
> > <non-existent>:1740 local:https LISTENING
> > <non-existent>:1740 local:6101 LISTENING
> >
> > These can be seen from "netstat" too. But I can't
> kill these processes
>
> > using TCPVIEW. I tried to kill other regular
> processes, it's OK.
> >
> > Using "msconfig", I disabled sys.ini and win.ini,
> stopped to load
> > startup programs and disabled all services loading
> except those from
> > Microsoft for a clean boot. But these processes
> are still there.
> >
> > I also disabled some MS services like IIS,
> Plug/Play.
> > Web Client, etc. No luck. After I disabled "DHCP",
> processes are gone.
> > But after "DHCP" was disabled, almost all other
> processes are gone
> > too.
> >
> > Next step, maybe I should do something on
> registry.
> >
> > Thanks
> > Alex
> >
> >
> > --- Paul Marsh <pmarsh@nmefdn.org> wrote:
> >
> > > Alex:
> > >
> > > This is very interesting and hopefully you can
> do
> > a little more
> > > investigation before you nuke and rebuild. You
> > did an netstat -bano
> > > and found two processes running listening on
> port
> > 21.
> > > Try a TASKLIST /SVC
> > > at a command prompt to see if you can identify
> the
> > executable. I'd do
> >
> > > a complete port scan on the system to see what
> > else is happening try
> > > NMAP http://www.insecure.org/nmap/ against your
> > system on all 65K
> > > ports TCP and UDP. I'd also run Ethereal
> > http://www.ethereal.com/ on
> > > the system to see if anything is trying to call
> > home or if anything is
> >
> > > trying to get in. I'm hoping with the list of
> > listening ports and
> > > capturing some traffic we can identify what's
> > cook'in. Another good
> > > source of info can be found at
> > >
> >
>
http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_an
> > > d_Rootkit_Tools_in_a_Windows_Environment.html
> > >
> > > Please keep us up to date as to what you find.
> > >
> > > Thanx
> > >
> > > -----Original Message-----
> > > From: Alex Yan [mailto:drcyyan@yahoo.com]
> > > Sent: Monday, February 14, 2005 2:39 PM
> > > To: H Carvey; security-basics@securityfocus.com
> > > Subject: Re: Hidden windows ports, files and
> > services.
> > >
> > > Hi all,
> > >
> > > Thanks a lot for your help.
> > > On weekend I tried some suggested options, but
> > still didn't get much
> > > yet.
> > >
> > > Scanned the system using the latest Norton AV
> and
> > Stinger in the safe
> > > mode. Nothing came out.
> > >
> > > Run "netstat -baon". It gives process IDs and
> > program names for other
> > > processes. For the processes related to port 21,
> > it says "No ownership
> >
> > > information can be found".
> > >
> > > Tried fport, cport, process explorer, etc, but
> no
> > luck.
> > >
> > > "telnet 127.0.0.1 21" gives prompt "220 ." and
> > then times out in 15
> > > seconds. No telnet service was found in Windows
> > service list.
> > >
> > > Tonight I will follow the Mark's suggestions
> step
> > by step and see if I
> >
> > > can get something. I will also try other
> options.
> > If anything came
> > > out, I will let you know.
> > >
> > > I am a software developer, more on Unix, not so
> > familiar with Windows
> > > registry and all kinds of services and processes
> > on XP. If I can not
> > > find the problem and fix it, I have to reformat
> > the system. But even
> > > after reformating, there is still a chance that
> > the system could not
> > > be totally clean, because I have to restore some
> > critical data from
>
=== message truncated ===
__________________________________
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail
- Previous message: Astalavista: "Astalavista.com Security Newsletter"
- Maybe in reply to: Paul Kurczaba: "RE: Hidden windows ports, files and services."
- Next in thread: H Carvey: "Re: Hidden windows ports, files and services."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
