Security Basics mailing list archives

RE: Hidden windows ports, files and services.

From: "Edy Lie" <email () edylie net>
Date: Fri, 11 Feb 2005 18:55:51 +0800

Hi Alex,

Install a packet sniffer on it for example ethereal and once the attacker
login, you will be able to figure out the credential and stuffs he is doing.

Cheers,
Edy

-----Original Message-----
From: Alex Yan [mailto:drcyyan () yahoo com] 
Sent: Friday, February 11, 2005 4:27 AM
To: Paul Kurczaba; security-basics () securityfocus com
Subject: RE: Hidden windows ports, files and services.

Hi Paul,

I'll try it. I tried to "ftp" to the infected machine
and connection is OK. I can't login because I don't
know the username/password.

Thanks
Alex
 
--- Paul Kurczaba <seclists () securinews com> wrote:

Open up a command prompt. Type "telnet 127.0.0.1
21". What does the banner
say?

-Paul

-----Original Message-----
From: Alex Yan [mailto:drcyyan () yahoo com] 
Sent: Thursday, February 10, 2005 9:17 PM
To: security-basics () securityfocus com
Subject: Re: Hidden windows ports, files and
services.

In-Reply-To: <41C74BAA.4060400 () cs virginia edu>

Hi ALL,

Could anyone help me for the similar problem. I have
a PC with XP prof. A
hidden ftp process/service is running. Using
"netstat -aon", I can see two
entries:

Proto Local Address  Foreign Address  State      PID
TCP   0.0.0.0:21     0.0.0.0:0        LISTENING  86
TCP   0.0.0.0:21     0.0.0.0:0        LISTENING  420

The process IDs can not be found via taskmanager,
tasklist and pslist.
The XP srvice manager didn't give any clue. What
tools can I use to detect
the process/program and how can I kill this hidden
process. How can I clean
up the computer.

Any help would be greatly appreciated.

Thanks very much.

Alex Yan

Received: (qmail 1241 invoked from network); 20 Dec

2004 22:37:09 -0000

Received: from outgoing.securityfocus.com (HELO 
outgoing2.securityfocus.com) (205.206.231.26)
 by mail.securityfocus.com with SMTP; 20 Dec 2004

22:37:09 -0000

Received: from lists.securityfocus.com

(lists.securityfocus.com
[205.206.231.19])

    by outgoing2.securityfocus.com (Postfix) with QMQP
    id 875A214373C; Mon, 20 Dec 2004 15:06:22 -0700

(MST)

Mailing-List: contact

security-basics-help () securityfocus com; run by

ezmlm
Precedence: bulk
List-Id:

<security-basics.list-id.securityfocus.com>

List-Post:

<mailto:security-basics () securityfocus com>

List-Help:

<mailto:security-basics-help () securityfocus com>

List-Unsubscribe:


<mailto:security-basics-unsubscribe () securityfocus com>

List-Subscribe:

<mailto:security-basics-subscribe () securityfocus com>

Delivered-To: mailing list

security-basics () securityfocus com

Delivered-To: moderator for

security-basics () securityfocus com

Received: (qmail 13730 invoked from network); 20

Dec 2004 22:00:43

-0000
Message-ID: <41C74BAA.4060400 () cs virginia edu>
Date: Mon, 20 Dec 2004 17:01:14 -0500
From: Mark Reis <mcr2z () cs virginia edu>
User-Agent: Mozilla Thunderbird 1.0

(Windows/20041206)

X-Accept-Language: en-us, en
MIME-Version: 1.0
Cc: security-basics () securityfocus com
Subject: Re: Hidden windows ports, files and

services.

References:


<8AAB5E48C043704B8F1B835DD8F0A44602B49A () ROBIN eightinonepet com>

In-Reply-To:


<8AAB5E48C043704B8F1B835DD8F0A44602B49A () ROBIN eightinonepet com>

Content-Type: text/plain; charset=ISO-8859-1;

format=flowed

Content-Transfer-Encoding: 7bit

Hello Again,

I've discovered the answer to part 2 - the machine

was infected by a

root kit that was intercepting all of system calls

being issued by -

active ports, fport and such. I actually found

myself being quite

impressed by this kit. Even running Dependency

Walker and comparing it

with my test machine was negative.

The first clue was when I was inspecting the

attributes on the system

dll, I found some discrepancies on the flags. This

led to me ultimately

finding multiple duplicate DLLs in

c:\windows\system32 called

somedll.dll.tmp. What it appeared to being doing

was returning the

sizes and values of the original backed up files -

thus masking the true
trojans.


-Mark




        
                
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - You care about security. So do we. 
http://promotions.yahoo.com/new_mail

-- 
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.7 - Release Date: 2/10/2005
 

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.7 - Release Date: 2/10/2005

Current thread:

Re: Hidden windows ports, files and services. Alex Yan (Feb 10)
- Re: Hidden windows ports, files and services. Mark Reis (Feb 10)
- RE: Hidden windows ports, files and services. Paul Kurczaba (Feb 10)
  - RE: Hidden windows ports, files and services. Robert Hines (Feb 11)
- <Possible follow-ups>
- RE: Hidden windows ports, files and services. Alex Yan (Feb 11)
  - Re: Hidden windows ports, files and services. q q (Feb 11)
  - RE: Hidden windows ports, files and services. Edy Lie (Feb 11)
- RE: Hidden windows ports, files and services. Endre Szekely (Feb 11)
- RE: Hidden windows ports, files and services. Nick Duda (Feb 11)
  - Re: Hidden windows ports, files and services. Security (Feb 11)
    - Re: Hidden windows ports, files and services. Varun Pitale (Feb 14)
- RE: Hidden windows ports, files and services. Doug . Janelle (Feb 11)
- Re: Hidden windows ports, files and services. H Carvey (Feb 14)
  - Re: Hidden windows ports, files and services. Alex Yan (Feb 14)
    - Re: Hidden windows ports, files and services. Mario Pascucci (Feb 15)
    - Re: Hidden windows ports, files and services. Security (Feb 17)
- RE: Hidden windows ports, files and services. Paul Marsh (Feb 15)

(Thread continues...)