Security Incidents mailing list archives
NT Compromise
From: Eric Hines <eric3+ () pitt edu>
Date: Wed, 19 Dec 2001 14:45:43 -0500
Hey all, I am responding to several compromised NT boxes and am trying to find a utility that will allow you to see what program is bound to a particular port. I think I've seen one that shows what ports are bound to command.com, but need something similar for other programs/trojans/etc. Is there something available? Has anyone seen a compromised NT box with port 6667 open that does not seem to be running an IRCD? Check out the below snippit from netstat. I've tried connecting to the 6667 port with MiRC.. Nothing at all! I need to find out what process/application opened this port. On this note, can anyone recommend a good forensics toolkit for Windows to be used on compromised machines? C:\ netstat -an -- snip -- TCP 0.0.0.0:6666 0.0.0.0:0 LISTENING TCP 0.0.0.0:6667 0.0.0.0:0 LISTENING TCP 0.0.0.0:6668 0.0.0.0:0 LISTENING -- snap -- 2nd Problem: Does anyone know what the REDIRECTOR in WindowsNT/2000 is? I am seeing a compromised NT box full of such logs in the event/security viewer. Logs have been pasted below. Notice all of the different hostnames/machines its attempting to access. Add 70 something other machines to the below list. What is it and is this a sign of a definate compromise? 12/17/01 1:16:26 PM Rdr Warning None 3013 N/A INTERACT The redirector has timed out a request to READING. 12/17/01 1:15:11 PM Rdr Warning None 3013 N/A INTERACT The redirector has timed out a request to STEELSRV. 12/17/01 1:14:01 PM Rdr Warning None 3013 N/A INTERACT The redirector has timed out a request to PUBLICSAFETY1. 12/17/01 1:12:51 PM Rdr Warning None 3013 N/A INTERACT The redirector has timed out a request to ANITRA-00. 12/17/01 1:10:41 PM Rdr Warning None 3013 N/A INTERACT The redirector has timed out a request to SRFS-PDC. 12/17/01 1:09:31 PM Rdr Warning None 3013 N/A INTERACT The redirector has timed out a request to GODZILLA. 12/17/01 1:08:21 PM Rdr Warning None 3013 N/A INTERACT The redirector has timed out a request to SDMWWW. 12/17/01 1:07:11 PM Rdr Warning None 3013 N/A INTERACT The redirector has timed out a request to EXCHANGE. 12/17/01 1:06:01 PM Rdr Warning None 3013 N/A INTERACT The redirector has timed out a request to PICASSO. 12/17/01 1:04:51 PM Rdr Warning None 3013 N/A INTERACT The redirector has timed out a request to PITT-TV3. 12/17/01 1:03:51 PM Rdr Warning None 3013 N/A INTERACT The redirector has timed out a request to COMPUTERZ. 12/17/01 1:02:36 PM Rdr Warning None 3013 N/A INTERACT The redirector has timed out a request to SDMGENETICS1. 12/17/01 1:01:36 PM Rdr Warning None 3013 N/A INTERACT The redirector has timed out a request to BOHNER2. 12/17/01 1:00:36 PM Rdr Warning None 3013 N/A INTERACT The redirector has timed out a request to CALIBAN. Please advise! Eric ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- NT Compromise Eric Hines (Dec 19)
- RE: NT Compromise Jignesh Pathak (Dec 19)
- RE: NT Compromise Matthew Leeds (Dec 19)
- Re: NT Compromise Nexus (Dec 19)
- Re: NT Compromise H C (Dec 20)
- Re: NT Compromise Paulo Braga (Dec 20)
- <Possible follow-ups>
- Re: NT Compromise Christine Merey (Dec 19)
- NT Compromise MALIN, ALEX (PB) (Dec 19)
- RE: NT Compromise Jignesh Pathak (Dec 19)