Security Basics mailing list archives
RE: Hidden windows ports, files and services.
From: "Paul Marsh" <pmarsh () nmefdn org>
Date: Tue, 15 Feb 2005 11:59:31 -0500
How should I say this......................................... NUKE IT FDISK IT DOD WIPE IT BEAT THE HDD WITH A HAMMER Sorry couldn't help it. If the system was on line unprotected and mis-configured for six months as you say the box is 100% owned. The only steps you can take is a complete system rebuild. I would be very concerned with privacy issue on the system in question. Did you do any on-line transaction, how many secure site that require username and password have you visited in the past six months? Back up all your important information. Completely nuke the HDD, (DO NOT CONNECT TO THE INTERNET) Reinstall your OS (DO NOT CONNECT TO THE INTERNET), Load all OS patches (DO NOT CONNECT TO THE INTERNET), Install AV and make sure it's 100% up to date (DO NOT CONNECT TO THE INTERNET), Firewall the system then you should be safe to connect to the internet. If you have the time prior to nuking the system it would be a great learning tool to load ethereal on the system to see some of the traffic. Good Luck Thanx, Paul -----Original Message----- From: Alex Yan [mailto:drcyyan () yahoo com] Sent: Tuesday, February 15, 2005 11:37 AM To: Paul Marsh; security-basics () securityfocus com Subject: RE: Hidden windows ports, files and services. About six months. --- Paul Marsh <pmarsh () nmefdn org> wrote:
Alex: Some red flags popped up as soon as I read your last email. "I didn't configure it right till last weekend" How long had the system been up and running configured incorrectly? Thanx, Paul -----Original Message----- From: Alex Yan [mailto:drcyyan () yahoo com] Sent: Tuesday, February 15, 2005 11:20 AM To: Paul Marsh; security-basics () securityfocus com Subject: RE: Hidden windows ports, files and services. Paul, I have Verizon DSL with a Linksys router (BEFS41 ?). I didn't configure it right till last weekend. The firewall and port blocking were not working properly before. I did try the XP ftp server and SERV-U ftp. But I already removed these components. Under IIS, there are no services running now. As you suggested, I can try remove IIS component. Thanks Alex --- Paul Marsh <pmarsh () nmefdn org> wrote:Alex: Are you running IIS on the system in question?Are you running FTPalong with IIS? If you don't need them add/removeprograms,add/remove Windows Components uncheck IIS andclick next, reboot anddo a netstat -bano and see what's listening now.What kind of ainternet connection do you have, broadband maybe? Thanx, Paul -----Original Message----- From: Alex Yan [mailto:drcyyan () yahoo com] Sent: Tuesday, February 15, 2005 10:17 AM To: Paul Marsh; security-basics () securityfocus com Subject: RE: Hidden windows ports, files andservices.Hi Paul, I did run TASKLIST before without "/SVC" Theprocesses are invisibleto this command. Last night, I checked Recycler, system32, system,etc, but didn't getmuch. I run TCPVIEW and got two set of interestingentries withnon-existent: <non-existent>:348 local:ftp LISTENING <non-existent>:348 local:https LISTENING <non-existent>:348 local:6101 LISTENING <non-existent>:1740 local:ftp LISTENING <non-existent>:1740 local:https LISTENING <non-existent>:1740 local:6101 LISTENING These can be seen from "netstat" too. But I can'tkill these processesusing TCPVIEW. I tried to kill other regularprocesses, it's OK.Using "msconfig", I disabled sys.ini and win.ini,stopped to loadstartup programs and disabled all services loadingexcept those fromMicrosoft for a clean boot. But these processesare still there.I also disabled some MS services like IIS,Plug/Play.Web Client, etc. No luck. After I disabled "DHCP",processes are gone.But after "DHCP" was disabled, almost all otherprocesses are gonetoo. Next step, maybe I should do something onregistry.Thanks Alex --- Paul Marsh <pmarsh () nmefdn org> wrote:Alex: This is very interesting and hopefully you candoa little moreinvestigation before you nuke and rebuild. Youdid an netstat -banoand found two processes running listening onport21.Try a TASKLIST /SVC at a command prompt to see if you can identifytheexecutable. I'd doa complete port scan on the system to see whatelse is happening tryNMAP http://www.insecure.org/nmap/ against yoursystem on all 65Kports TCP and UDP. I'd also run Etherealhttp://www.ethereal.com/ onthe system to see if anything is trying to callhome or if anything istrying to get in. I'm hoping with the list oflistening ports andcapturing some traffic we can identify what'scook'in. Another goodsource of info can be found at
http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_an
d_Rootkit_Tools_in_a_Windows_Environment.html Please keep us up to date as to what you find. Thanx -----Original Message----- From: Alex Yan [mailto:drcyyan () yahoo com] Sent: Monday, February 14, 2005 2:39 PM To: H Carvey; security-basics () securityfocus com Subject: Re: Hidden windows ports, files andservices.Hi all, Thanks a lot for your help. On weekend I tried some suggested options, butstill didn't get muchyet. Scanned the system using the latest Norton AVandStinger in the safemode. Nothing came out. Run "netstat -baon". It gives process IDs andprogram names for otherprocesses. For the processes related to port 21,it says "No ownershipinformation can be found". Tried fport, cport, process explorer, etc, butnoluck."telnet 127.0.0.1 21" gives prompt "220 ." andthen times out in 15seconds. No telnet service was found in Windowsservice list.Tonight I will follow the Mark's suggestionsstepby step and see if Ican get something. I will also try otheroptions.If anything cameout, I will let you know. I am a software developer, more on Unix, not sofamiliar with Windowsregistry and all kinds of services and processeson XP. If I can notfind the problem and fix it, I have to reformatthe system. But evenafter reformating, there is still a chance thatthe system could notbe totally clean, because I have to restore somecritical data from
=== message truncated === __________________________________ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail
Current thread:
- RE: Hidden windows ports, files and services., (continued)
- RE: Hidden windows ports, files and services. Doug . Janelle (Feb 11)
- Re: Hidden windows ports, files and services. H Carvey (Feb 14)
- Re: Hidden windows ports, files and services. Alex Yan (Feb 14)
- Re: Hidden windows ports, files and services. Mario Pascucci (Feb 15)
- Re: Hidden windows ports, files and services. Security (Feb 17)
- Re: Hidden windows ports, files and services. Alex Yan (Feb 14)
- RE: Hidden windows ports, files and services. Paul Marsh (Feb 15)
- RE: Hidden windows ports, files and services. Alex Yan (Feb 15)
- RE: Hidden windows ports, files and services. Paul Marsh (Feb 15)
- RE: Hidden windows ports, files and services. Alex Yan (Feb 15)
- RE: Hidden windows ports, files and services. Alex Yan (Feb 15)
- RE: Hidden windows ports, files and services. Paul Marsh (Feb 15)
- Re: Hidden windows ports, files and services. H Carvey (Feb 17)