Re: Hidden windows ports, files and services.

[Mark Reis <mcr2z () cs virginia edu>]

Hello Alex,

Here are some steps that I've found are quite helpful.

1) Reboot into Safe Mode. I've found that will generally reveal the 
hidden processes as it loads with a minimal DLL set.

2) Check all of the typical places that process start. Registry, Start 
Menu, etc. While you are in safe mode, attempt to run your port scans. 
I'd suggest using TCPVIEW.exe from sysinternals along with their process 
explorer.
   - While looking in the registry, search for "AppTo" in the currently 
control set services.
   - Look for strangely named processes. Like svchostt, or processes 
(exe files) that start from strange locations.

3) Dig around extensively in c:\windows\system32 and system, sort on 
modification date. Typically you can look for modification dates around 
the time of infection. Once you find one part of the hack, use Windows 
search to find all files modified as well as created on this date. (Make 
sure to use the advanced procedure and search on all files along with 
changing the folder view to show everything). Look for dlls as well.

4) Check your "C:\System Volume Information" and "C:\RECYCLER" fold for 
the ftp files.

5) If all else fails, try booting into Knoppix and mount your drive to 
see if you can find the suspicious files there.

I hope this helps.

-Mark



Alex Yan wrote:

> In-Reply-To: <41C74BAA.4060400 () cs virginia edu>
>
> Hi ALL,
>
> Could anyone help me for the similar problem. I have a PC with XP prof. A hidden ftp process/service is running. Using 
> "netstat -aon", I can see
> two entries:
>
> Proto Local Address  Foreign Address  State      PID
> TCP   0.0.0.0:21     0.0.0.0:0        LISTENING  86
> TCP   0.0.0.0:21     0.0.0.0:0        LISTENING  420
>
> The process IDs can not be found via taskmanager, tasklist and pslist.
> The XP srvice manager didn't give any clue. What tools can I use to detect
> the process/program and how can I kill this hidden process. How can I 
> clean up the computer.
>
> Any help would be greatly appreciated.
>
> Thanks very much.
>
> Alex Yan
>
>
>
>  
>
> > Received: (qmail 1241 invoked from network); 20 Dec 2004 22:37:09 -0000
> > Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26)
> > by mail.securityfocus.com with SMTP; 20 Dec 2004 22:37:09 -0000
> > Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
> >         by outgoing2.securityfocus.com (Postfix) with QMQP
> >         id 875A214373C; Mon, 20 Dec 2004 15:06:22 -0700 (MST)
> > Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm
> > Precedence: bulk
> > List-Id: <security-basics.list-id.securityfocus.com>
> > List-Post: <mailto:security-basics () securityfocus com>
> > List-Help: <mailto:security-basics-help () securityfocus com>
> > List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com>
> > List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>
> > Delivered-To: mailing list security-basics () securityfocus com
> > Delivered-To: moderator for security-basics () securityfocus com
> > Received: (qmail 13730 invoked from network); 20 Dec 2004 22:00:43 -0000
> > Message-ID: <41C74BAA.4060400 () cs virginia edu>
> > Date: Mon, 20 Dec 2004 17:01:14 -0500
> > From: Mark Reis <mcr2z () cs virginia edu>
> > User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
> > X-Accept-Language: en-us, en
> > MIME-Version: 1.0
> > Cc: security-basics () securityfocus com
> > Subject: Re: Hidden windows ports, files and services.
> > References: <8AAB5E48C043704B8F1B835DD8F0A44602B49A () ROBIN eightinonepet com>
> > In-Reply-To: <8AAB5E48C043704B8F1B835DD8F0A44602B49A () ROBIN eightinonepet com>
> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> > Content-Transfer-Encoding: 7bit
> >
> > Hello Again,
> >
> > I've discovered the answer to part 2 - the machine was infected by a 
> > root kit that was intercepting all of system calls being issued by - 
> > active ports, fport and such. I actually found myself being quite 
> > impressed by this kit. Even running Dependency Walker and comparing it 
> > with my test machine was negative.
> >
> > The first clue was when I was inspecting the attributes on the system 
> > dll, I found some discrepancies on the flags. This led to me ultimately 
> > finding multiple duplicate DLLs in c:\windows\system32 called 
> > somedll.dll.tmp. What it appeared to being doing was returning the sizes 
> > and values of the original backed up files - thus masking the true trojans.
> >
> > -Mark
> >
> >