Security Basics mailing list archives
RE: Hidden windows ports, files and services.
From: "Justin Acquaro" <JAcquaro () csmcorp com>
Date: Mon, 20 Dec 2004 14:13:57 -0500
Hey Mark, Hidden Files: I was able to list the directory structure under RECYCLER in windows XP SP2 by going to TOOLS --> Folder Options --> View and un-checking "Hide protected operating system files". This should also apply for IE's cache. Hidden Processes: If you can't see the port on the local machine it might be the work of a root kit of some sort. (rootkit.com) they have a lot of information about NT root kits both discovering and creating. I would boot to safe mode where you are running the absolute bare minimum and check your startup methods to see if there is anything suspicious loading up. Justin |-----Original Message----- |From: Mark Reis [mailto:mcr2z () cs virginia edu] |Sent: Friday, December 17, 2004 3:33 PM |Cc: security-basics () securityfocus com |Subject: Hidden windows ports, files and services. | |Hello, | |Being at a University, I get to deal with my fair share of compromised |machines. Over the past year or so, I've started to notice that hackers |are getting smarter along with Microsoft making things more complicated |with XP SP2. I'm hoping that other members of this list might be able to |help resolve or know of a work around. | |I'm not interested in discussion in how to secure these machines, I do |what I can within the inherent bureaucracy of the system. :) | |Hidden files: | |One of the most common things I see is hackers hiding a FTP server for |questionable material in the RECYCLER. Assume that I am logged in as the |local administrator, the machine is disconnected from the network, and |explorer has been set to show all files. The offending process has been |found and removed, and I'd like to analyze the ftp server. The default |behavior of Windows XP is to hide the contents of the C:\RECYCLER\UID. |Prior to XP SP2, I used to be able to go through the c$ share and see |the contents via \\machine\c$\recycler\UID. However with XP SP2, this |option was removed. Ultimately, I now need to download and use cygwin to |list the directory contents. | |Does anyone know how to get XP to show *everything* - The same thing |applies to XP hiding the IE cache. | | |Hidden Process: | |A machine was recently compromised and the only way I was aware of this |was by doing an nmap port scan of the system. NMAP 3.75 showed a ftp |server on a non-standard port. Using ncftp, I was able to connect to |this server. | |ncftp -P 1475 compromised machine -u anonymous |NcFTP 3.1.7 (Jan 07, 2004) by Mike Gleason (http://www.NcFTP.com/contact/). |Connecting to .... | |FTP Server ready. |Login incorrect. | |Sleeping 20 seconds... | |However, when in front of the machine, I've run Active Ports, Fport and |TCPView. None of which list a process as listening on that port. I even |downloaded fresh version of each and tried again. No luck. This is quite |disturbing... | |Does anyone have a suggestion on how to determine what process this is? | |Thank you, |Mark Reis
Current thread:
- RE: Hidden windows ports, files and services. Justin Acquaro (Dec 20)
- <Possible follow-ups>
- RE: Hidden windows ports, files and services. Beauford, Jason (Dec 20)
- Re: Hidden windows ports, files and services. Mark Reis (Dec 20)
- Re: Hidden windows ports, files and services. Barrie Dempster (Dec 21)
- Re: Hidden windows ports, files and services. Mark Reis (Dec 20)