Security Basics mailing list archives
Re: Hidden windows ports, files and services.
From: Mark Reis <mcr2z () cs virginia edu>
Date: Thu, 10 Feb 2005 15:15:38 -0500
Hello Alex, Here are some steps that I've found are quite helpful.1) Reboot into Safe Mode. I've found that will generally reveal the hidden processes as it loads with a minimal DLL set.
2) Check all of the typical places that process start. Registry, Start Menu, etc. While you are in safe mode, attempt to run your port scans. I'd suggest using TCPVIEW.exe from sysinternals along with their process explorer. - While looking in the registry, search for "AppTo" in the currently control set services. - Look for strangely named processes. Like svchostt, or processes (exe files) that start from strange locations.
3) Dig around extensively in c:\windows\system32 and system, sort on modification date. Typically you can look for modification dates around the time of infection. Once you find one part of the hack, use Windows search to find all files modified as well as created on this date. (Make sure to use the advanced procedure and search on all files along with changing the folder view to show everything). Look for dlls as well.
4) Check your "C:\System Volume Information" and "C:\RECYCLER" fold for the ftp files.
5) If all else fails, try booting into Knoppix and mount your drive to see if you can find the suspicious files there.
I hope this helps. -Mark Alex Yan wrote:
In-Reply-To: <41C74BAA.4060400 () cs virginia edu> Hi ALL, Could anyone help me for the similar problem. I have a PC with XP prof. A hidden ftp process/service is running. Using "netstat -aon", I can see two entries: Proto Local Address Foreign Address State PID TCP 0.0.0.0:21 0.0.0.0:0 LISTENING 86 TCP 0.0.0.0:21 0.0.0.0:0 LISTENING 420 The process IDs can not be found via taskmanager, tasklist and pslist. The XP srvice manager didn't give any clue. What tools can I use to detectthe process/program and how can I kill this hidden process. How can I clean up the computer.Any help would be greatly appreciated. Thanks very much. Alex YanReceived: (qmail 1241 invoked from network); 20 Dec 2004 22:37:09 -0000 Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26) by mail.securityfocus.com with SMTP; 20 Dec 2004 22:37:09 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) by outgoing2.securityfocus.com (Postfix) with QMQP id 875A214373C; Mon, 20 Dec 2004 15:06:22 -0700 (MST) Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <security-basics.list-id.securityfocus.com> List-Post: <mailto:security-basics () securityfocus com> List-Help: <mailto:security-basics-help () securityfocus com> List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com> List-Subscribe: <mailto:security-basics-subscribe () securityfocus com> Delivered-To: mailing list security-basics () securityfocus com Delivered-To: moderator for security-basics () securityfocus com Received: (qmail 13730 invoked from network); 20 Dec 2004 22:00:43 -0000 Message-ID: <41C74BAA.4060400 () cs virginia edu> Date: Mon, 20 Dec 2004 17:01:14 -0500 From: Mark Reis <mcr2z () cs virginia edu> User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 Cc: security-basics () securityfocus com Subject: Re: Hidden windows ports, files and services. References: <8AAB5E48C043704B8F1B835DD8F0A44602B49A () ROBIN eightinonepet com> In-Reply-To: <8AAB5E48C043704B8F1B835DD8F0A44602B49A () ROBIN eightinonepet com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hello Again,I've discovered the answer to part 2 - the machine was infected by a root kit that was intercepting all of system calls being issued by - active ports, fport and such. I actually found myself being quite impressed by this kit. Even running Dependency Walker and comparing it with my test machine was negative.The first clue was when I was inspecting the attributes on the system dll, I found some discrepancies on the flags. This led to me ultimately finding multiple duplicate DLLs in c:\windows\system32 called somedll.dll.tmp. What it appeared to being doing was returning the sizes and values of the original backed up files - thus masking the true trojans.-Mark
Current thread:
- Re: Hidden windows ports, files and services. Alex Yan (Feb 10)
- Re: Hidden windows ports, files and services. Mark Reis (Feb 10)
- RE: Hidden windows ports, files and services. Paul Kurczaba (Feb 10)
- RE: Hidden windows ports, files and services. Robert Hines (Feb 11)
- <Possible follow-ups>
- RE: Hidden windows ports, files and services. Alex Yan (Feb 11)
- Re: Hidden windows ports, files and services. q q (Feb 11)
- RE: Hidden windows ports, files and services. Edy Lie (Feb 11)
- RE: Hidden windows ports, files and services. Endre Szekely (Feb 11)
- RE: Hidden windows ports, files and services. Nick Duda (Feb 11)
- Re: Hidden windows ports, files and services. Security (Feb 11)
- Re: Hidden windows ports, files and services. Varun Pitale (Feb 14)
- Re: Hidden windows ports, files and services. Security (Feb 11)
- RE: Hidden windows ports, files and services. Doug . Janelle (Feb 11)
(Thread continues...)