Re: Security Problem...
From: Greg (greg_68@hotmail.com)
Date: 02/12/03
- Next message: Whoever: "Re: Creating a Password"
- Previous message: Jennifer Lesher [MSFT]: "RE: How to check the password in gina"
- In reply to: remove: "Re: Security Problem..."
- Next in thread: Alun Jones: "Re: Security Problem..."
- Reply: Alun Jones: "Re: Security Problem..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Greg" <greg_68@hotmail.com> Date: Wed, 12 Feb 2003 11:54:12 -0700
How can I check? The PID just says svchost.exe. I'm already running Norton
AntiVirus (with a subscription)... wouldn't that have prevented it? I'll do
a full system scan with it and see if it finds anything, unless you have a
better idea?
"Tracker" <"snailmail(remove)222000"@yahoo.com> wrote in message
news:3E491B9E.A8F42033@yahoo.com...
> These are traditional uses for the ports, but
should
> in no way suggest what is actually using them.
>
> Port 1025 Protocol tcp Name blackjack
> Description network blackjack
>
> Port 1025 Protocol udp Name blackjack
> Description network blackjack
>
> Port 1025 Protocol tcp Name listen
> Description listener RFS
remote_file_sharing
>
> Port 1025 Protocol tcp Name FraggleRock
> Description [TROJAN] Fraggle Rock
>
> Port 1027 Protocol tcp Name ICKiller
> Description [TROJAN] ICKiller
>
> Check it out. Your computer might already be hosting these Trojans.
>
> Tracker
>
> Greg wrote:
>
> > It is listening on port 80 because I never turned off port 80, I just
added
> > the other two ports (90 & 91) to it. Port 80 is blocked by my ISP so no
one
> > can connect to it.
> >
> > Thanks for the tip on using NETSTAT -ANO. I checked the PID against the
> > running processes and I recognize all of them, except for two ports (135
and
> > 1025) which are both svchost.exe. Should I be concerned about that?
> >
> > I'll look into URLScan.
> >
> > "Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
> > news:u2Rz#fW0CHA.1840@TK2MSFTNGP12...
> > > Your computer is listening on TCP 80. My guess is that you have an
IIS
> > web
> > > site instance that you're not aware of, and that possibly the logs are
> > being
> > > written to a different folder or location [or not at all]. Although
if
> > your
> > > firewall is really blocking TCP 80, then maybe this isn't the case, or
> > maybe
> > > the FTP software was installed when you temporarily weren't running a
> > > firewall or something.
> > >
> > > If this was a compromise that came through IIS web services,
installing
> > > URLScan would probably block this stuff from ever happening and would
> > > probably have let you see the original infection [though there are
other
> > > things you should do besides just install URLScan and install patches
to
> > > secure a server, all mentioned in the links I gave you].
> > >
> > > Your computer is listening to a lot of ports, some of them may be
> > > suspicious. Under XP, you can get more information by running
> > NETSTAT -ANO
> > > to look and see which executable is listening on each port. In
Windows
> > > 2000, you have to download and run Vision for free from
> > > www.foundstone.com/knowledge to get the same information. I believe
XP to
> > > be as vulnerable as 2000 to this sort of thing, though this sort of
> > hacking
> > > is becoming way more common lately.
> > >
> > >
> > > "Greg" <greg_68@hotmail.com> wrote in message
> > > news:O6WEXKT0CHA.1888@TK2MSFTNGP09...
> > > > The text file that I found on my system is named 1.txt and I found
it in
> > > my
> > > > c:\temp\ directory. This has happened before on other installations
of
> > > > Windows XP that I've done locally and I had found the text (named
> > > somethings
> > > > else at the time) in c:\ and d:\.
> > > >
> > > > I checked the IIS web server and FTP server logs and the only IP
address
> > > is
> > > > mine. I have them both set to show full details (I set that a long
time
> > > > ago).
> > > >
> > > > As far as my Firewall logs, here's what's listed under connections:
> > > >
> > > > Local Service Port Remote IP Address Remote Service Port
> > > > 1027 localhost
4323,4321,4301
> > > > (and other 42xx and 43xx)
> > > > 4328 (pop3 server) 110
> > > >
> > > > those repeat. Under the firewall logs it shows a lot of:
> > > >
> > > > TCP non-syn/non-ack packet on invalid connection. Packet has been
> > dropped
> > > > Source IP address: 66.201.243.169
> > > > Destination IP address: desktop(68.2.207.254)
> > > > TCP Source Port: http(80)
> > > > TCP Destination Port: 9488
> > > > TCP Message Flags: 0x00000011
> > > >
> > > > all from the same IP address.
> > > >
> > > > Here's what "netstat -an | find /i "Listen" (as recommended by
another
> > > > persons post) shows (I added 90 and 91 for the IIS web server,
although
> > I
> > > > only need one):
> > > >
> > > > Proto Local Address Foreign Address State
> > > > TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
> > > > TCP 0.0.0.0:90 0.0.0.0:0 LISTENING
> > > > TCP 0.0.0.0:91 0.0.0.0:0 LISTENING
> > > > TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
> > > > TCP 0.0.0.0:443 0.0.0.0:0 LISTENING
> > > > TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
> > > > TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
> > > > TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING
> > > > TCP 0.0.0.0:1415 0.0.0.0:0 LISTENING
> > > > TCP 0.0.0.0:3744 0.0.0.0:0 LISTENING
> > > > TCP 0.0.0.0:4293 0.0.0.0:0 LISTENING
> > > > TCP 0.0.0.0:4294 0.0.0.0:0 LISTENING
> > > > TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
> > > > TCP 68.2.207.254:25 0.0.0.0:0 LISTENING
> > > > TCP 68.2.207.254:139 0.0.0.0:0 LISTENING
> > > > TCP 127.0.0.1:1027 0.0.0.0:0 LISTENING
> > > > TCP 127.0.0.1:1030 0.0.0.0:0 LISTENING
> > > > TCP 127.0.0.1:43958 0.0.0.0:0 LISTENING
> > > > TCP 192.168.178.1:139 0.0.0.0:0 LISTENING
> > > > TCP 192.168.255.1:139 0.0.0.0:0 LISTENING
> > > >
> > > > here's established:
> > > > TCP 68.2.207.254:4294 207.46.248.16:119 ESTABLISHED
> > > > TCP 127.0.0.1:1027 127.0.0.1:4293 ESTABLISHED
> > > > TCP 127.0.0.1:4293 127.0.0.1:1027 ESTABLISHED
> > > >
> > > > Applications I have open are, Outlook, Outlook Express, and Borland
> > > Delphi.
> > > > I also have Microsoft SQL Server 2000 developer installed and MySQL
4.
> > > Both
> > > > services are currently disabled. And PostCast SMTP Server. And
then of
> > > > course, Norton Personal Firewall and Norton Anti-Virus.
> > > >
> > > > Thanks for the links, I'll take a look at them and make changes.
> > > >
> > > > The odd thing about this is that it's happened to me over the last
year
> > or
> > > > so about 4 times. It didn't happen when I had a Linksys Router
hooked
> > up.
> > > > I no longer have it, so maybe I should just buy a new router and
format.
> > > I
> > > > also never had this problem with Windows 2000 Professional. Only
since
> > > > installing Windows XP. Maybe it's just a coincidence.
> > > >
> > > > I was really hoping to find out exactly how this is happening to
help
> > > > prevent it in the future and also warn others that I know about it.
> > > >
> > > > "x y, mvp" <levinson_k@despammed.com> wrote in message
> > > > news:O$7YGdS0CHA.1624@TK2MSFTNGP10...
> > > > > You could probably tell us... where are you seeing those requests
to
> > > > > download those files? Which log? Is there anything in your IIS
web
> > > > server
> > > > > logs? What are you seeing in your firewall logs that is INCOMING
to
> > > your
> > > > > computer, and what are the ports being used?
> > > > >
> > > > > A very typical scenario is for a hacker to use an IIS web service
> > > > > vulnerability where specially crafted URL requests are sent to the
web
> > > > > server that cause your computer to try to download an FTP server,
> > > usually
> > > > > Serv-U FTP. There are probably other vectors of entry besides
just
> > IIS
> > > > www.
> > > > > If this is the case, you'll see all this on your web server logs,
> > > assuming
> > > > > logging is enabled.
> > > > >
> > > > > Besides enabling logging and monitoring the logs on your firewall
and
> > > IIS
> > > > > services, the fix is to completely harden your computer like so:
> > > > >
> > > > > http://securityadmin.info/faq.htm#hacked
> > > > > http://securityadmin.info/faq.htm#ftpfolder
> > > > > http://securityadmin.info/faq.htm#iislogs2
> > > > > http://securityadmin.info/faq.htm#iislogs
> > > > > http://securityadmin.info/faq.htm#re-secure
> > > > > http://securityadmin.info/faq.htm#harden
> > > > >
> > > > > Once hackers are able to remotely execute code on your computer,
as it
> > > > seems
> > > > > they are currently able to do, you have no clear way to be 100%
> > certain
> > > > that
> > > > > there are not other back doors installed to allow continued remote
> > > access
> > > > to
> > > > > your system. Your choices are to format and reinstall everything
> > > > properly,
> > > > > or to try your best to remove what you can find and hope that's
> > enough.
> > > > > Either choice might be acceptable depending on your need for
security.
> > > > > Further instructions:
> > > > >
> > > > >
> > > > >
> > > > > "Greg" <greg_68@hotmail.com> wrote in message
> > > > > news:Or6XEDJ0CHA.1812@TK2MSFTNGP11...
> > > > > > I know those are the tools that would be used for making an FTP
> > > server.
> > > > > > What I want to know is how the text file is getting sent to me.
Is
> > it
> > > > > > getting sent through a flaw in IIS, or Windows, or what? The
> > firewall
> > > > > > doesn't seem to know anything about it.
> > > > > >
> > > > > > I don't have an FTP server running (FTP with IIS is installed;
but
> > > > > disabled
> > > > > > unless I use it to transfer files). That IP address isn't
mine.
> > > I've
> > > > > > experienced this with ZoneAlarm, Norton Personal Firewall, and
> > > > Microsoft's
> > > > > > built-in firewall. I do have many years of network experience
and
> > > > > normally
> > > > > > use hardware firewalls but this is my home computer so I wasn't
> > going
> > > to
> > > > > buy
> > > > > > one.
> > > > > >
> > > > > >
> > > > > > > FTP is running at open 68.104.136.245 1415
> > > > > > > your machine is the ftp server the ftp you blocked are the
tools
> > > you'd
> > > > > use
> > > > > > > if you wanted to ftp to another machine.
> > > > > > >
> > > > > > > Better get some network experience or you'll get hacked fast.
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
>
- Next message: Whoever: "Re: Creating a Password"
- Previous message: Jennifer Lesher [MSFT]: "RE: How to check the password in gina"
- In reply to: remove: "Re: Security Problem..."
- Next in thread: Alun Jones: "Re: Security Problem..."
- Reply: Alun Jones: "Re: Security Problem..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
