Re: Hidden windows ports, files and services.

["Security" <security () sustainedhits com>]

Try using some tools that aren't affected by rootkits.

I gave you the URL to a good handful of them in my previous response.

So you don't have to go digging, here it is:
http://home.arcor.de/scheinsicherheit/rootkits.htm

Using the 'standard' tools like you have done will yeild little if no 
results, as they are just using the standard API calls that are being hooked 
by whatever is infecting your system.  This means they are being 'tricked' 
as much as the standard windows utilities.  You need to use programs that 
are unaffected by the modifications being made to the running task list etc, 
if you really want to find this thing.

What your first priority should be is to find the registry keys that start 
it, and remove them, so you can at least reboot and then come back to a 
system that is telling you the truth about what's running.  Then run some AV 
scanner or manually quarantine anything suspicious.

Sniffing logs and running 'malware' finding apps might get you a little bit 
further if they produce any results at all, and if an intruder notices you 
doing this they may just wipe your machine for you so they won't be caught.. 
just a warning before you plug the PC back into the network and go 
log-happy.. personally I'd turn off what they were running and put a 
honeypot-type process on that port once the system was cleaned and I was 
sure they couldn't get back in through any backdoors they may have planted.

Just my .02, I've dealt with many machines infected with rootkits, and never 
have any huge problems removing them - nor have I had the system wiped from 
beneath me, as I've seen happen to others who didn't know any better. :)

Have fun disecting your box, and do tell what you find!

Chris

----- Original Message ----- 
From: "Mario Pascucci" <ilpettegolo () yahoo it>
To: <security-basics () securityfocus com>
Sent: Tuesday, February 15, 2005 3:19 AM
Subject: Re: Hidden windows ports, files and services.


> Il lun, 2005-02-14 alle 20:38, Alex Yan ha scritto:
> > Hi all,
> >
> > Thanks a lot for your help.
> > On weekend I tried some suggested options, but still
> > didn't get much yet.
> >
> > Scanned the system using the latest Norton AV and
> > Stinger in the safe mode. Nothing came out.
> >
> > Run "netstat -baon". It gives process IDs and program
> > names for other processes. For the processes related
> > to port 21, it says "No ownership information can be
> > found".
> >
> > Tried fport, cport, process explorer, etc, but no
> > luck.
> >
> > "telnet 127.0.0.1 21" gives prompt "220 ." and then
> > times out in 15 seconds. No telnet service was found
> > in Windows service list.
> Try to use Hijackthis and post the log. Some of the malware in the wild
> uses things such browser helper object, run as service or similar
> behavior, to hide itself.
> --
> Mario "Reliant" Pascucci
> http://ilpettegolo.altervista.org/