Re: Hidden windows ports, files and services.

["Security" <security () sustainedhits com>]

You might find this helpful:
http://home.arcor.de/scheinsicherheit/rootkits.htm

I really doubt a different tool like Fprot would do much but show the same 
thing he's getting through netstat if the system calls are being hooked to 
hide the process using the standard methods.

You need to get those processes (at least the one(s) that have port 21 open) 
so they will display in the regular task manager list by cleaning out 
whatever is hiding them, then determine what it was hiding.  If it doesn't 
show up in task manager, you can be pretty sure there is a rootkit 
intercepting vital system calls and hiding processes from being 
shown/killed/etc. - the only reason he stumbled upon it is because they were 
too sloppy to hide the port from netstat too.

----- Original Message ----- 
From: "Nick Duda" <nduda () VistaPrint com>
To: "Paul Kurczaba" <seclists () securinews com>; "Alex Yan" 
<drcyyan () yahoo com>; <security-basics () securityfocus com>
Sent: Friday, February 11, 2005 5:23 AM
Subject: RE: Hidden windows ports, files and services.


> Use Fport to detect the proc.
>
> - Nick
>
> -----Original Message----- 
> From: Paul Kurczaba [mailto:seclists () securinews com]
> Sent: Thu 2/10/2005 3:09 PM
> To: 'Alex Yan'; security-basics () securityfocus com
> Cc:
> Subject: RE: Hidden windows ports, files and services.
>
>
>
> Open up a command prompt. Type "telnet 127.0.0.1 21". What does the banner
> say?
>
> -Paul
>
> -----Original Message-----
> From: Alex Yan [mailto:drcyyan () yahoo com]
> Sent: Thursday, February 10, 2005 9:17 PM
> To: security-basics () securityfocus com
> Subject: Re: Hidden windows ports, files and services.
>
> In-Reply-To: <41C74BAA.4060400 () cs virginia edu>
>
> Hi ALL,
>
> Could anyone help me for the similar problem. I have a PC with XP prof. A
> hidden ftp process/service is running. Using "netstat -aon", I can see two
> entries:
>
> Proto Local Address  Foreign Address  State      PID
> TCP   0.0.0.0:21     0.0.0.0:0        LISTENING  86
> TCP   0.0.0.0:21     0.0.0.0:0        LISTENING  420
>
> The process IDs can not be found via taskmanager, tasklist and pslist.
> The XP srvice manager didn't give any clue. What tools can I use to detect
> the process/program and how can I kill this hidden process. How can I 
> clean
> up the computer.
>
> Any help would be greatly appreciated.
>
> Thanks very much.
>
> Alex Yan
>
>
>
> >Received: (qmail 1241 invoked from network); 20 Dec 2004 22:37:09 -0000
> >Received: from outgoing.securityfocus.com (HELO
> >outgoing2.securityfocus.com) (205.206.231.26)
> >  by mail.securityfocus.com with SMTP; 20 Dec 2004 22:37:09 -0000
> >Received: from lists.securityfocus.com (lists.securityfocus.com
> [205.206.231.19])
> >       by outgoing2.securityfocus.com (Postfix) with QMQP
> >       id 875A214373C; Mon, 20 Dec 2004 15:06:22 -0700 (MST)
> >Mailing-List: contact security-basics-help () securityfocus com; run by
> >ezmlm
> >Precedence: bulk
> >List-Id: <security-basics.list-id.securityfocus.com>
> >List-Post: <mailto:security-basics () securityfocus com>
> >List-Help: <mailto:security-basics-help () securityfocus com>
> >List-Unsubscribe:
> ><mailto:security-basics-unsubscribe () securityfocus com>
> >List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>
> >Delivered-To: mailing list security-basics () securityfocus com
> >Delivered-To: moderator for security-basics () securityfocus com
> >Received: (qmail 13730 invoked from network); 20 Dec 2004 22:00:43
> >-0000
> >Message-ID: <41C74BAA.4060400 () cs virginia edu>
> >Date: Mon, 20 Dec 2004 17:01:14 -0500
> >From: Mark Reis <mcr2z () cs virginia edu>
> >User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
> >X-Accept-Language: en-us, en
> >MIME-Version: 1.0
> >Cc: security-basics () securityfocus com
> >Subject: Re: Hidden windows ports, files and services.
> >References:
> ><8AAB5E48C043704B8F1B835DD8F0A44602B49A () ROBIN eightinonepet com>
> >In-Reply-To:
> ><8AAB5E48C043704B8F1B835DD8F0A44602B49A () ROBIN eightinonepet com>
> >Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> >Content-Transfer-Encoding: 7bit
> >
> >Hello Again,
> >
> >I've discovered the answer to part 2 - the machine was infected by a
> >root kit that was intercepting all of system calls being issued by -
> >active ports, fport and such. I actually found myself being quite
> >impressed by this kit. Even running Dependency Walker and comparing it
> >with my test machine was negative.
> >
> >The first clue was when I was inspecting the attributes on the system
> >dll, I found some discrepancies on the flags. This led to me ultimately
> >finding multiple duplicate DLLs in c:\windows\system32 called
> >somedll.dll.tmp. What it appeared to being doing was returning the
> >sizes and values of the original backed up files - thus masking the true
> trojans.
> >
> >-Mark
> >