RE: Hidden windows ports, files and services.

["Justin Acquaro" <JAcquaro () csmcorp com>]

Hey Mark,
        Hidden Files:
                I was able to list the directory structure under
RECYCLER in windows XP SP2 by going to TOOLS --> Folder Options --> View
and un-checking "Hide protected operating system files". This should
also apply for IE's cache.

        Hidden Processes:
                If you can't see the port on the local machine it might
be the work of a root kit of some sort. (rootkit.com) they have a lot of
information about NT root kits both discovering and creating. I would
boot to safe mode where you are running the absolute bare minimum and
check your startup methods to see if there is anything suspicious
loading up.

Justin

|-----Original Message-----
|From: Mark Reis [mailto:mcr2z () cs virginia edu]
|Sent: Friday, December 17, 2004 3:33 PM
|Cc: security-basics () securityfocus com
|Subject: Hidden windows ports, files and services.
|
|Hello,
|
|Being at a University, I get to deal with my fair share of compromised
|machines. Over the past year or so, I've started to notice that hackers
|are getting smarter along with Microsoft making things more complicated
|with XP SP2. I'm hoping that other members of this list might be able
to
|help resolve or know of a work around.
|
|I'm not interested in discussion in how to secure these machines, I do
|what I can within the inherent bureaucracy of the system. :)
|
|Hidden files:
|
|One of the most common things I see is hackers hiding a FTP server for
|questionable material in the RECYCLER. Assume that I am logged in as
the
|local administrator, the machine is disconnected from the network, and
|explorer has been set to show all files. The offending process has been
|found and removed, and I'd like to analyze the ftp server. The default
|behavior of Windows XP is to hide the contents of the C:\RECYCLER\UID.
|Prior to XP SP2, I used to be able to go through the c$ share and see
|the contents via \\machine\c$\recycler\UID. However with XP SP2, this
|option was removed. Ultimately, I now need to download and use cygwin
to
|list the directory contents.
|
|Does anyone know how to get XP to show *everything* - The same thing
|applies to XP hiding the IE cache.
|
|
|Hidden Process:
|
|A machine was recently compromised and the only way I was aware of this
|was by doing an nmap port scan of the system. NMAP 3.75 showed a ftp
|server on a non-standard port. Using ncftp, I was able to connect to
|this server.
|
|ncftp -P 1475 compromised machine -u anonymous
|NcFTP 3.1.7 (Jan 07, 2004) by Mike Gleason
(http://www.NcFTP.com/contact/).
|Connecting to ....
|
|FTP Server ready.
|Login incorrect.
|
|Sleeping 20 seconds...
|
|However, when in front of the machine, I've run Active Ports, Fport and
|TCPView. None of which list a process as listening on that port. I even
|downloaded fresh version of each and tried again. No luck. This is
quite
|disturbing...
|
|Does anyone have a suggestion on how to determine what process this is?
|
|Thank you,
|Mark Reis