Security Incidents mailing list archives
Re: NT Compromise
From: Christine Merey <cmerey2 () algorithmics com>
Date: Wed, 19 Dec 2001 16:38:44 -0500
-----Original Message----- From: Eric Hines [mailto:eric3+ () pitt edu] Sent: Wednesday, December 19, 2001 2:46 PM To: incidents () securityfocus com Subject: NT Compromise Hey all, I am responding to several compromised NT boxes and am trying to find a utility that will allow you to see what program is bound to a particular port. I think I've seen one that shows what ports are bound to command.com, but need something similar for other programs/trojans/etc. Is there something available? Has anyone seen a compromised NT box with port 6667 open that does not seem to be running an IRCD? Check out the below snippit from netstat. I've tried connecting to the 6667 port with MiRC.. Nothing at all! I need to find out what process/application opened this port. On this note, can anyone recommend a good forensics toolkit for Windows to be used on compromised machines? C:\ netstat -an -- snip -- TCP 0.0.0.0:6666 0.0.0.0:0 LISTENING TCP 0.0.0.0:6667 0.0.0.0:0 LISTENING TCP 0.0.0.0:6668 0.0.0.0:0 LISTENING -- snap --
Try Arne Vidstrom's inzider to get an "lsof" type of information on NT/2000: www.ntsecurity.nu/toolbox/inzider, it will tell you port/app mappings. Secondly, check out www.sysinternals.com - they have a gold mine of free tools that will give you the skinny on your NT box - in particular to find what this app is, look at: TDIMon for network connections, and Process Explorer for all processes running on your system (obviously, if it doesn't show your 6667 listener then it's hidden.). Chris. Christine Merey Security Administrator Toronto, Ontario cmerey () algorithmics com PGP Key-ID: 0x880E574A ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- NT Compromise Eric Hines (Dec 19)
- RE: NT Compromise Jignesh Pathak (Dec 19)
- RE: NT Compromise Matthew Leeds (Dec 19)
- Re: NT Compromise Nexus (Dec 19)
- Re: NT Compromise H C (Dec 20)
- Re: NT Compromise Paulo Braga (Dec 20)
- <Possible follow-ups>
- Re: NT Compromise Christine Merey (Dec 19)
- NT Compromise MALIN, ALEX (PB) (Dec 19)
- RE: NT Compromise Jignesh Pathak (Dec 19)