RE: Hidden windows ports, files and services.

[Alex Yan <drcyyan () yahoo com>]

Hi Paul,

I did run TASKLIST before without "/SVC" The processes
are invisible to this command.

Last night, I checked Recycler, system32, system, etc,
but didn't get much.

I run TCPVIEW and got two set of interesting entries
with non-existent:

<non-existent>:348  local:ftp    LISTENING
<non-existent>:348  local:https  LISTENING
<non-existent>:348  local:6101   LISTENING

<non-existent>:1740  local:ftp    LISTENING
<non-existent>:1740  local:https  LISTENING
<non-existent>:1740  local:6101   LISTENING

These can be seen from "netstat" too. But I can't kill
these processes using TCPVIEW. I tried to kill other
regular processes, it's OK.

Using "msconfig", I disabled sys.ini and win.ini,
stopped to load startup programs and disabled all
services loading except those from Microsoft for a
clean boot. But these processes are still there.

I also disabled some MS services like IIS, Plug/Play.
Web Client, etc. No luck. After I disabled "DHCP",
processes are gone. But after "DHCP" was disabled,
almost all other processes are gone too.

Next step, maybe I should do something on registry.

Thanks
Alex

 
--- Paul Marsh <pmarsh () nmefdn org> wrote:

>  Alex:
>
>       This is very interesting and hopefully you can do a
> little more
> investigation before you nuke and rebuild.  You did
> an netstat -bano and
> found two processes running listening on port 21. 
> Try a TASKLIST /SVC
> at a command prompt to see if you can identify the
> executable.  I'd do a
> complete port scan on the system to see what else is
> happening try NMAP
> http://www.insecure.org/nmap/ against your system on
> all 65K ports TCP
> and UDP.  I'd also run Ethereal
> http://www.ethereal.com/ on the system
> to see if anything is trying to call home or if
> anything is trying to
> get in.  I'm hoping with the list of listening ports
> and capturing some
> traffic we can identify what's cook'in.  Another
> good source of info can
> be found at
http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_an
> d_Rootkit_Tools_in_a_Windows_Environment.html
>
>       Please keep us up to date as to what you find.
>
> Thanx
>
> -----Original Message-----
> From: Alex Yan [mailto:drcyyan () yahoo com] 
> Sent: Monday, February 14, 2005 2:39 PM
> To: H Carvey; security-basics () securityfocus com
> Subject: Re: Hidden windows ports, files and
> services.
>
> Hi all,
>
> Thanks a lot for your help.
> On weekend I tried some suggested options, but still
> didn't get much
> yet.
>
> Scanned the system using the latest Norton AV and
> Stinger in the safe
> mode. Nothing came out.
>
> Run "netstat -baon". It gives process IDs and
> program names for other
> processes. For the processes related to port 21, it
> says "No ownership
> information can be found".
>
> Tried fport, cport, process explorer, etc, but no
> luck.
>
> "telnet 127.0.0.1 21" gives prompt "220 ." and then
> times out in 15
> seconds. No telnet service was found in Windows
> service list.
>
> Tonight I will follow the Mark's suggestions step by
> step and see if I
> can get something. I will also try other options. If
> anything came out,
> I will let you know.
>
> I am a software developer, more on Unix, not so
> familiar with Windows
> registry and all kinds of services and processes on
> XP. If I can not
> find the problem and fix it, I have to reformat the
> system. But even
> after reformating, there is still a chance that the
> system could not be
> totally clean, because I have to restore some
> critical data from the
> backup.
>
> Thanks again.
> Alex


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com