Security Basics mailing list archives

RE: Hidden windows ports, files and services.

From: Doug.Janelle () Thermo com
Date: Fri, 11 Feb 2005 15:55:06 -0500



You could also try TCPVIEW from Sysinternals. Leave it running in a visible
window and it'll show you all the procs as well as color-coded alerts when they
trigger.

-dcj2





Use Fport to detect the proc.

- Nick

     -----Original Message-----
     From: Alex Yan [mailto:drcyyan () yahoo com]
     Sent: Thursday, February 10, 2005 9:17 PM
     To: security-basics () securityfocus com
     Subject: Re: Hidden windows ports, files and services.

     In-Reply-To: <41C74BAA.4060400 () cs virginia edu>

     Hi ALL,

     Could anyone help me for the similar problem. I have a PC with XP prof. A
     hidden ftp process/service is running. Using "netstat -aon", I can see two
     entries:

     Proto Local Address  Foreign Address  State      PID
     TCP   0.0.0.0:21     0.0.0.0:0        LISTENING  86
     TCP   0.0.0.0:21     0.0.0.0:0        LISTENING  420

     The process IDs can not be found via taskmanager, tasklist and pslist.
     The XP srvice manager didn't give any clue. What tools can I use to detect
     the process/program and how can I kill this hidden process. How can I clean
     up the computer.

     Any help would be greatly appreciated.

     Thanks very much.

     Alex Yan



     >Received: (qmail 1241 invoked from network); 20 Dec 2004 22:37:09 -0000
     >Received: from outgoing.securityfocus.com (HELO
     >outgoing2.securityfocus.com) (205.206.231.26)
     >  by mail.securityfocus.com with SMTP; 20 Dec 2004 22:37:09 -0000
     >Received: from lists.securityfocus.com (lists.securityfocus.com
     [205.206.231.19])
     >       by outgoing2.securityfocus.com (Postfix) with QMQP
     >       id 875A214373C; Mon, 20 Dec 2004 15:06:22 -0700 (MST)
     >Mailing-List: contact security-basics-help () securityfocus com; run by
     >ezmlm
     >Precedence: bulk
     >List-Id: <security-basics.list-id.securityfocus.com>
     >List-Post: <mailto:security-basics () securityfocus com>
     >List-Help: <mailto:security-basics-help () securityfocus com>
     >List-Unsubscribe:
     ><mailto:security-basics-unsubscribe () securityfocus com>
     >List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>
     >Delivered-To: mailing list security-basics () securityfocus com
     >Delivered-To: moderator for security-basics () securityfocus com
     >Received: (qmail 13730 invoked from network); 20 Dec 2004 22:00:43
     >-0000
     >Message-ID: <41C74BAA.4060400 () cs virginia edu>
     >Date: Mon, 20 Dec 2004 17:01:14 -0500
     >From: Mark Reis <mcr2z () cs virginia edu>
     >User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
     >X-Accept-Language: en-us, en
     >MIME-Version: 1.0
     >Cc: security-basics () securityfocus com
     >Subject: Re: Hidden windows ports, files and services.
     >References:
     ><8AAB5E48C043704B8F1B835DD8F0A44602B49A () ROBIN eightinonepet com>
     >In-Reply-To:
     ><8AAB5E48C043704B8F1B835DD8F0A44602B49A () ROBIN eightinonepet com>
     >Content-Type: text/plain; charset=ISO-8859-1; format=flowed
     >Content-Transfer-Encoding: 7bit
     >
     >Hello Again,
     >
     >I've discovered the answer to part 2 - the machine was infected by a
     >root kit that was intercepting all of system calls being issued by -
     >active ports, fport and such. I actually found myself being quite
     >impressed by this kit. Even running Dependency Walker and comparing it
     >with my test machine was negative.
     >
     >The first clue was when I was inspecting the attributes on the system
     >dll, I found some discrepancies on the flags. This led to me ultimately
     >finding multiple duplicate DLLs in c:\windows\system32 called
     >somedll.dll.tmp. What it appeared to being doing was returning the
     >sizes and values of the original backed up files - thus masking the true
     trojans.
     >
     >-Mark
     >

Current thread:

Re: Hidden windows ports, files and services., (continued)
- Re: Hidden windows ports, files and services. Mark Reis (Feb 10)
- RE: Hidden windows ports, files and services. Paul Kurczaba (Feb 10)
  - RE: Hidden windows ports, files and services. Robert Hines (Feb 11)
- RE: Hidden windows ports, files and services. Alex Yan (Feb 11)
  - Re: Hidden windows ports, files and services. q q (Feb 11)
  - RE: Hidden windows ports, files and services. Edy Lie (Feb 11)
- RE: Hidden windows ports, files and services. Endre Szekely (Feb 11)
- RE: Hidden windows ports, files and services. Nick Duda (Feb 11)
  - Re: Hidden windows ports, files and services. Security (Feb 11)
    - Re: Hidden windows ports, files and services. Varun Pitale (Feb 14)
- RE: Hidden windows ports, files and services. Doug . Janelle (Feb 11)
- Re: Hidden windows ports, files and services. H Carvey (Feb 14)
  - Re: Hidden windows ports, files and services. Alex Yan (Feb 14)
    - Re: Hidden windows ports, files and services. Mario Pascucci (Feb 15)
    - Re: Hidden windows ports, files and services. Security (Feb 17)
- RE: Hidden windows ports, files and services. Paul Marsh (Feb 15)
  - RE: Hidden windows ports, files and services. Alex Yan (Feb 15)
- RE: Hidden windows ports, files and services. Paul Marsh (Feb 15)
  - RE: Hidden windows ports, files and services. Alex Yan (Feb 15)
- RE: Hidden windows ports, files and services. Alex Yan (Feb 15)
- RE: Hidden windows ports, files and services. Paul Marsh (Feb 15)

(Thread continues...)