RE: Hidden windows ports, files and services.

["Paul Kurczaba" <seclists () securinews com>]

Open up a command prompt. Type "telnet 127.0.0.1 21". What does the banner
say?

-Paul

-----Original Message-----
From: Alex Yan [mailto:drcyyan () yahoo com] 
Sent: Thursday, February 10, 2005 9:17 PM
To: security-basics () securityfocus com
Subject: Re: Hidden windows ports, files and services.

In-Reply-To: <41C74BAA.4060400 () cs virginia edu>

Hi ALL,

Could anyone help me for the similar problem. I have a PC with XP prof. A
hidden ftp process/service is running. Using "netstat -aon", I can see two
entries:

Proto Local Address  Foreign Address  State      PID
TCP   0.0.0.0:21     0.0.0.0:0        LISTENING  86
TCP   0.0.0.0:21     0.0.0.0:0        LISTENING  420

The process IDs can not be found via taskmanager, tasklist and pslist.
The XP srvice manager didn't give any clue. What tools can I use to detect
the process/program and how can I kill this hidden process. How can I clean
up the computer.

Any help would be greatly appreciated.

Thanks very much.

Alex Yan



> Received: (qmail 1241 invoked from network); 20 Dec 2004 22:37:09 -0000
> Received: from outgoing.securityfocus.com (HELO 
> outgoing2.securityfocus.com) (205.206.231.26)
>  by mail.securityfocus.com with SMTP; 20 Dec 2004 22:37:09 -0000
> Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
>       by outgoing2.securityfocus.com (Postfix) with QMQP
>       id 875A214373C; Mon, 20 Dec 2004 15:06:22 -0700 (MST)
> Mailing-List: contact security-basics-help () securityfocus com; run by 
> ezmlm
> Precedence: bulk
> List-Id: <security-basics.list-id.securityfocus.com>
> List-Post: <mailto:security-basics () securityfocus com>
> List-Help: <mailto:security-basics-help () securityfocus com>
> List-Unsubscribe: 
> <mailto:security-basics-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>
> Delivered-To: mailing list security-basics () securityfocus com
> Delivered-To: moderator for security-basics () securityfocus com
> Received: (qmail 13730 invoked from network); 20 Dec 2004 22:00:43 
> -0000
> Message-ID: <41C74BAA.4060400 () cs virginia edu>
> Date: Mon, 20 Dec 2004 17:01:14 -0500
> From: Mark Reis <mcr2z () cs virginia edu>
> User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
> X-Accept-Language: en-us, en
> MIME-Version: 1.0
> Cc: security-basics () securityfocus com
> Subject: Re: Hidden windows ports, files and services.
> References: 
> <8AAB5E48C043704B8F1B835DD8F0A44602B49A () ROBIN eightinonepet com>
> In-Reply-To: 
> <8AAB5E48C043704B8F1B835DD8F0A44602B49A () ROBIN eightinonepet com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> Content-Transfer-Encoding: 7bit
>
> Hello Again,
>
> I've discovered the answer to part 2 - the machine was infected by a 
> root kit that was intercepting all of system calls being issued by - 
> active ports, fport and such. I actually found myself being quite 
> impressed by this kit. Even running Dependency Walker and comparing it 
> with my test machine was negative.
>
> The first clue was when I was inspecting the attributes on the system 
> dll, I found some discrepancies on the flags. This led to me ultimately 
> finding multiple duplicate DLLs in c:\windows\system32 called 
> somedll.dll.tmp. What it appeared to being doing was returning the 
> sizes and values of the original backed up files - thus masking the true
trojans.
> -Mark