Security Basics mailing list archives

RE: Hidden windows ports, files and services.

From: "Paul Marsh" <pmarsh () nmefdn org>
Date: Tue, 15 Feb 2005 11:59:31 -0500

How should I say this.........................................

        NUKE IT
        FDISK IT
        DOD WIPE IT
        BEAT THE HDD WITH A HAMMER

Sorry couldn't help it.  If the system was on line unprotected and
mis-configured for six months as you say the box is 100% owned.  The
only steps you can take is a complete system rebuild.  I would be very
concerned with privacy issue on the system in question.  Did you do any
on-line transaction, how many secure site that require username and
password have you visited in the past six months?

        Back up all your important information.  Completely nuke the
HDD, (DO NOT CONNECT TO THE INTERNET) Reinstall your OS (DO NOT CONNECT
TO THE INTERNET), Load all OS patches (DO NOT CONNECT TO THE INTERNET),
Install AV and make sure it's 100% up to date (DO NOT CONNECT TO THE
INTERNET), Firewall the system then you should be safe to connect to the
internet.

        If you have the time prior to nuking the system it would be a
great learning tool to load ethereal on the system to see some of the
traffic. 

Good Luck

Thanx, Paul    
        
 

-----Original Message-----
From: Alex Yan [mailto:drcyyan () yahoo com] 
Sent: Tuesday, February 15, 2005 11:37 AM
To: Paul Marsh; security-basics () securityfocus com
Subject: RE: Hidden windows ports, files and services.


About six months.

--- Paul Marsh <pmarsh () nmefdn org> wrote:

Alex:

      Some red flags popped up as soon as I read your last email.  "I 
didn't configure it right till last weekend"  How long had the system 
been up and running configured incorrectly?

Thanx, Paul

-----Original Message-----
From: Alex Yan [mailto:drcyyan () yahoo com]
Sent: Tuesday, February 15, 2005 11:20 AM
To: Paul Marsh; security-basics () securityfocus com
Subject: RE: Hidden windows ports, files and services.

Paul,

I have Verizon DSL with a Linksys router (BEFS41 ?).
I didn't configure
it right till last weekend. The firewall and port blocking were not 
working properly before. I did try the XP ftp server and SERV-U ftp.
But I already removed these components. Under IIS, there are no 
services running now. As you suggested, I can try remove IIS 
component.

Thanks
Alex

--- Paul Marsh <pmarsh () nmefdn org> wrote:

Alex:

    Are you running IIS on the system in question?

Are you running
FTP

along with IIS?  If you don't need them add/remove

programs,

add/remove Windows Components uncheck IIS and

click next, reboot and

do a netstat -bano and see what's listening now.

What kind of a

internet connection do you have, broadband maybe?

Thanx, Paul

-----Original Message-----
From: Alex Yan [mailto:drcyyan () yahoo com]
Sent: Tuesday, February 15, 2005 10:17 AM
To: Paul Marsh; security-basics () securityfocus com
Subject: RE: Hidden windows ports, files and

services.


Hi Paul,

I did run TASKLIST before without "/SVC" The

processes are invisible

to this command.

Last night, I checked Recycler, system32, system,

etc, but didn't get

much.

I run TCPVIEW and got two set of interesting

entries with

non-existent:

<non-existent>:348  local:ftp    LISTENING
<non-existent>:348  local:https  LISTENING
<non-existent>:348  local:6101   LISTENING

<non-existent>:1740  local:ftp    LISTENING
<non-existent>:1740  local:https  LISTENING
<non-existent>:1740  local:6101   LISTENING

These can be seen from "netstat" too. But I can't

kill these processes

using TCPVIEW. I tried to kill other regular

processes, it's OK.


Using "msconfig", I disabled sys.ini and win.ini,

stopped to load

startup programs and disabled all services loading

except those from

Microsoft for a clean boot. But these processes

are still there.


I also disabled some MS services like IIS,

Plug/Play.

Web Client, etc. No luck. After I disabled "DHCP",

processes are gone.

But after "DHCP" was disabled, almost all other

processes are gone

too.

Next step, maybe I should do something on

registry.


Thanks
Alex

 
--- Paul Marsh <pmarsh () nmefdn org> wrote:

 Alex:

  This is very interesting and hopefully you can

do

a little more

investigation before you nuke and rebuild.  You

did an netstat -bano

and found two processes running listening on

port

21.

Try a TASKLIST /SVC
at a command prompt to see if you can identify

the

executable.  I'd do

a complete port scan on the system to see what

else is happening try

NMAP http://www.insecure.org/nmap/ against your

system on all 65K

ports TCP and UDP.  I'd also run Ethereal

http://www.ethereal.com/ on

the system to see if anything is trying to call

home or if anything is

trying to get in.  I'm hoping with the list of

listening ports and

capturing some traffic we can identify what's

cook'in.  Another good

source of info can be found at

http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_an

d_Rootkit_Tools_in_a_Windows_Environment.html

  Please keep us up to date as to what you find.

Thanx

-----Original Message-----
From: Alex Yan [mailto:drcyyan () yahoo com]
Sent: Monday, February 14, 2005 2:39 PM
To: H Carvey; security-basics () securityfocus com
Subject: Re: Hidden windows ports, files and

services.


Hi all,

Thanks a lot for your help.
On weekend I tried some suggested options, but

still didn't get much

yet.

Scanned the system using the latest Norton AV

and

Stinger in the safe

mode. Nothing came out.

Run "netstat -baon". It gives process IDs and

program names for other

processes. For the processes related to port 21,

it says "No ownership

information can be found".

Tried fport, cport, process explorer, etc, but

no

luck.


"telnet 127.0.0.1 21" gives prompt "220 ." and

then times out in 15

seconds. No telnet service was found in Windows

service list.


Tonight I will follow the Mark's suggestions

step

by step and see if I

can get something. I will also try other

options.

If anything came

out, I will let you know.

I am a software developer, more on Unix, not so

familiar with Windows

registry and all kinds of services and processes

on XP. If I can not

find the problem and fix it, I have to reformat

the system. But even

after reformating, there is still a chance that

the system could not

be totally clean, because I have to restore some

critical data from

=== message truncated ===



        
                
__________________________________
Do you Yahoo!? 
Yahoo! Mail - You care about security. So do we. 
http://promotions.yahoo.com/new_mail

Current thread:

RE: Hidden windows ports, files and services., (continued)
- RE: Hidden windows ports, files and services. Doug . Janelle (Feb 11)
- Re: Hidden windows ports, files and services. H Carvey (Feb 14)
  - Re: Hidden windows ports, files and services. Alex Yan (Feb 14)
    - Re: Hidden windows ports, files and services. Mario Pascucci (Feb 15)
    - Re: Hidden windows ports, files and services. Security (Feb 17)
- RE: Hidden windows ports, files and services. Paul Marsh (Feb 15)
  - RE: Hidden windows ports, files and services. Alex Yan (Feb 15)
- RE: Hidden windows ports, files and services. Paul Marsh (Feb 15)
  - RE: Hidden windows ports, files and services. Alex Yan (Feb 15)
- RE: Hidden windows ports, files and services. Alex Yan (Feb 15)
- RE: Hidden windows ports, files and services. Paul Marsh (Feb 15)
- Re: Hidden windows ports, files and services. H Carvey (Feb 17)