Security Basics mailing list archives
RE: Hidden windows ports, files and services.
From: "Paul Marsh" <pmarsh () nmefdn org>
Date: Tue, 15 Feb 2005 09:17:49 -0500
Alex: This is very interesting and hopefully you can do a little more investigation before you nuke and rebuild. You did an netstat -bano and found two processes running listening on port 21. Try a TASKLIST /SVC at a command prompt to see if you can identify the executable. I'd do a complete port scan on the system to see what else is happening try NMAP http://www.insecure.org/nmap/ against your system on all 65K ports TCP and UDP. I'd also run Ethereal http://www.ethereal.com/ on the system to see if anything is trying to call home or if anything is trying to get in. I'm hoping with the list of listening ports and capturing some traffic we can identify what's cook'in. Another good source of info can be found at http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_an d_Rootkit_Tools_in_a_Windows_Environment.html Please keep us up to date as to what you find. Thanx -----Original Message----- From: Alex Yan [mailto:drcyyan () yahoo com] Sent: Monday, February 14, 2005 2:39 PM To: H Carvey; security-basics () securityfocus com Subject: Re: Hidden windows ports, files and services. Hi all, Thanks a lot for your help. On weekend I tried some suggested options, but still didn't get much yet. Scanned the system using the latest Norton AV and Stinger in the safe mode. Nothing came out. Run "netstat -baon". It gives process IDs and program names for other processes. For the processes related to port 21, it says "No ownership information can be found". Tried fport, cport, process explorer, etc, but no luck. "telnet 127.0.0.1 21" gives prompt "220 ." and then times out in 15 seconds. No telnet service was found in Windows service list. Tonight I will follow the Mark's suggestions step by step and see if I can get something. I will also try other options. If anything came out, I will let you know. I am a software developer, more on Unix, not so familiar with Windows registry and all kinds of services and processes on XP. If I can not find the problem and fix it, I have to reformat the system. But even after reformating, there is still a chance that the system could not be totally clean, because I have to restore some critical data from the backup. Thanks again. Alex
Current thread:
- RE: Hidden windows ports, files and services., (continued)
- RE: Hidden windows ports, files and services. Edy Lie (Feb 11)
- RE: Hidden windows ports, files and services. Endre Szekely (Feb 11)
- RE: Hidden windows ports, files and services. Nick Duda (Feb 11)
- Re: Hidden windows ports, files and services. Security (Feb 11)
- Re: Hidden windows ports, files and services. Varun Pitale (Feb 14)
- Re: Hidden windows ports, files and services. Security (Feb 11)
- RE: Hidden windows ports, files and services. Doug . Janelle (Feb 11)
- Re: Hidden windows ports, files and services. H Carvey (Feb 14)
- Re: Hidden windows ports, files and services. Alex Yan (Feb 14)
- Re: Hidden windows ports, files and services. Mario Pascucci (Feb 15)
- Re: Hidden windows ports, files and services. Security (Feb 17)
- Re: Hidden windows ports, files and services. Alex Yan (Feb 14)
- RE: Hidden windows ports, files and services. Paul Marsh (Feb 15)
- RE: Hidden windows ports, files and services. Alex Yan (Feb 15)
- RE: Hidden windows ports, files and services. Paul Marsh (Feb 15)
- RE: Hidden windows ports, files and services. Alex Yan (Feb 15)
- RE: Hidden windows ports, files and services. Alex Yan (Feb 15)
- RE: Hidden windows ports, files and services. Paul Marsh (Feb 15)
- Re: Hidden windows ports, files and services. H Carvey (Feb 17)