Security Basics mailing list archives
Re: Hidden windows ports, files and services.
From: "Security" <security () sustainedhits com>
Date: Wed, 16 Feb 2005 08:49:24 -0500
Try using some tools that aren't affected by rootkits. I gave you the URL to a good handful of them in my previous response. So you don't have to go digging, here it is: http://home.arcor.de/scheinsicherheit/rootkits.htmUsing the 'standard' tools like you have done will yeild little if no results, as they are just using the standard API calls that are being hooked by whatever is infecting your system. This means they are being 'tricked' as much as the standard windows utilities. You need to use programs that are unaffected by the modifications being made to the running task list etc, if you really want to find this thing.
What your first priority should be is to find the registry keys that start it, and remove them, so you can at least reboot and then come back to a system that is telling you the truth about what's running. Then run some AV scanner or manually quarantine anything suspicious.
Sniffing logs and running 'malware' finding apps might get you a little bit further if they produce any results at all, and if an intruder notices you doing this they may just wipe your machine for you so they won't be caught.. just a warning before you plug the PC back into the network and go log-happy.. personally I'd turn off what they were running and put a honeypot-type process on that port once the system was cleaned and I was sure they couldn't get back in through any backdoors they may have planted.
Just my .02, I've dealt with many machines infected with rootkits, and never have any huge problems removing them - nor have I had the system wiped from beneath me, as I've seen happen to others who didn't know any better. :)
Have fun disecting your box, and do tell what you find! Chris----- Original Message ----- From: "Mario Pascucci" <ilpettegolo () yahoo it>
To: <security-basics () securityfocus com> Sent: Tuesday, February 15, 2005 3:19 AM Subject: Re: Hidden windows ports, files and services.
Il lun, 2005-02-14 alle 20:38, Alex Yan ha scritto:Hi all, Thanks a lot for your help. On weekend I tried some suggested options, but still didn't get much yet. Scanned the system using the latest Norton AV and Stinger in the safe mode. Nothing came out. Run "netstat -baon". It gives process IDs and program names for other processes. For the processes related to port 21, it says "No ownership information can be found". Tried fport, cport, process explorer, etc, but no luck. "telnet 127.0.0.1 21" gives prompt "220 ." and then times out in 15 seconds. No telnet service was found in Windows service list.Try to use Hijackthis and post the log. Some of the malware in the wild uses things such browser helper object, run as service or similar behavior, to hide itself. -- Mario "Reliant" Pascucci http://ilpettegolo.altervista.org/
Current thread:
- Re: Hidden windows ports, files and services., (continued)
- Re: Hidden windows ports, files and services. q q (Feb 11)
- RE: Hidden windows ports, files and services. Edy Lie (Feb 11)
- RE: Hidden windows ports, files and services. Endre Szekely (Feb 11)
- RE: Hidden windows ports, files and services. Nick Duda (Feb 11)
- Re: Hidden windows ports, files and services. Security (Feb 11)
- Re: Hidden windows ports, files and services. Varun Pitale (Feb 14)
- Re: Hidden windows ports, files and services. Security (Feb 11)
- RE: Hidden windows ports, files and services. Doug . Janelle (Feb 11)
- Re: Hidden windows ports, files and services. H Carvey (Feb 14)
- Re: Hidden windows ports, files and services. Alex Yan (Feb 14)
- Re: Hidden windows ports, files and services. Mario Pascucci (Feb 15)
- Re: Hidden windows ports, files and services. Security (Feb 17)
- Re: Hidden windows ports, files and services. Alex Yan (Feb 14)
- RE: Hidden windows ports, files and services. Paul Marsh (Feb 15)
- RE: Hidden windows ports, files and services. Alex Yan (Feb 15)
- RE: Hidden windows ports, files and services. Paul Marsh (Feb 15)
- RE: Hidden windows ports, files and services. Alex Yan (Feb 15)
- RE: Hidden windows ports, files and services. Alex Yan (Feb 15)
- RE: Hidden windows ports, files and services. Paul Marsh (Feb 15)
- Re: Hidden windows ports, files and services. H Carvey (Feb 17)