Re: How to find process behing TCP connection ?

["Mario A. Spinthiras" <mario () netway com cy>]

Daniel DeLeo wrote:
> A bit off topic for this thread, but...
> Just wanted to point out that under *NIX, if you get rooted, your copy 
> of lsof will probably be trojaned to hide the attacker's rootkit and 
> malicious activity.  You could potentially build a new lsof from 
> source or copy a binary from a trusted machine, however, off-line 
> forensic analysis is usually the way to go--especially because of 
> kernel-level rootkits that will lie to lsof, trojaned or not.  If your 
> *NIX has chflags (is this only on OpenBSD?  I've become so partisan to 
> OBSD for production machines that I don't know...) you can prevent 
> this by setting the system immutable flag on your kernel and binaries 
> like ps, lsof and the like.
>
> Now back on topic...
> Sounds like you've got a reverse-engineering challenge on your hands.  
> If you're up for it, SoftICE is something you should look into.  The 
> book "Security Warrior" from O'Reilly will get you started and there's 
> probably some good advice on the web.  That being said, unless you 
> already have skills with assembler, this is probably more effort than 
> you'll want to expend on the issue, especially since your opponent, 
> the malware author, seems to have some skills at anti-detection, so he 
> might have some skills at anti-reverse-engineering, too.
> (disclaimer: reverse engineering is one of those skills that I've 
> always wanted to learn, but there's always a fire to be put out just 
> when I sit down to start practicing)
>
> Finally, DO NOT FORGET to firewall the crap out of your honeypot box.  
> Look around the web for honeypot oriented root-kits, too.  I know of 
> sebek for *NIX, but there must be some for windows.  This will help 
> you get the most mileage out of your honeypot project.
>
> Daniel DeLeo
>
> On Sep 27, 2006, at 2:20 PM, Buozis, Martynas wrote:
>
> > Thanks for reply.
> >
> > Maybe I was not clear. Windows Server 2003 is acting as client and
> > initiates connection to service on port 139 too many workstations.
> > Actually it tries to logon as Administrator to many computers. And
> > process, that initiates connection, is "System 4". There are no reasons
> > why this server should connect to any of these workstations. Per
> > configuration attempt to logon as Admin is denied.
> >
> > I set up open system and expect server will try to connect to it, so
> > maybe I will understand better what is behind activity, but I am also
> > sure, that more people got same problem for different reasons and they
> > are willing to share their experience.
> >
> > So easy under Unix with LSOF and not possible under Windows ?... Can't
> > believe!
> >
> >
> > With best regards
> > Martynas
> >
> >
> > -----Original Message-----
> > From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> > On Behalf Of Colin Copley
> > Sent: Wednesday, September 27, 2006 8:55 PM
> > To: Buozis, Martynas
> > Cc: security-basics () securityfocus com
> > Subject: Re: How to find process behing TCP connection ?
> >
> > Maybe this is some help?
> >
> > http://forum.sysinternals.com/forum_posts.asp?TID=3432
> >
> > If not, perhaps you could attempt to telnet or putty into the port, and
> > see
> > if it returns an error message which might give some more info.
> > Another idea - try ethereal to capture the packet data and see what it
> > contains.
> > Also I believe nmap can attempt to establish what's listening on a
> > certain
> > port.  It might give you more info than just system 4.
> > Regards
> > Colin
> >
> >
> > ----- Original Message -----
> > From: "Buozis, Martynas" <martynas () ti com>
> > Hello
> >
> > I need an advice. I have Windows 2003 server. It occasionally show
> > strange and suspicious network behavior. I used command "netstat -abov"
> > and Process explorer tool from Sysinternals to find process behind
> > connections. I found that it is "System 4" and got stuck. How I can
> > identify what is behind this "System 4"?
> >
> > I thought it may be hidden process, but RootkitReveal from Systinternals
> > did not show anything.
> >
> > I will be grateful for any ideas how to identify what is behind these
> > TCP connections from server to many computers!
> >
> > Thank you in advance.
> >
> > With best regards
> > Martynas
> >
> >
> >
> > ------------------------------------------------------------------------
> > ---
> > This list is sponsored by: Norwich University
> >
> > EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> > The NSA has designated Norwich University a center of Academic
> > Excellence
> > in Information Security. Our program offers unparalleled Infosec
> > management
> > education and the case study affords you unmatched consulting
> > experience.
> > Using interactive e-Learning technology, you can earn this esteemed
> > degree,
> > without disrupting your career or home life.
> >
> > http://www.msia.norwich.edu/secfocus
> > ------------------------------------------------------------------------
> > ---
> >
> >
> > --------------------------------------------------------------------------- 
> >
> > This list is sponsored by: Norwich University
> >
> > EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> > The NSA has designated Norwich University a center of Academic 
> > Excellence
> > in Information Security. Our program offers unparalleled Infosec 
> > management
> > education and the case study affords you unmatched consulting 
> > experience.
> > Using interactive e-Learning technology, you can earn this esteemed 
> > degree,
> > without disrupting your career or home life.
> >
> > http://www.msia.norwich.edu/secfocus
> > --------------------------------------------------------------------------- 
>
>
> --------------------------------------------------------------------------- 
>
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic 
> Excellencein Information Security. Our program offers unparalleled 
> Infosec managementeducation and the case study affords you unmatched 
> consulting experience.Using interactive e-Learning technology, you can 
> earn this esteemed degree,without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> --------------------------------------------------------------------------- 
reverse engineering? what are you talking about.

You are right about the root kits. BUT if its a kernel module rootkit 
then it wont make any different because the resources in the system are 
spoofed so any software you use will give you the output hiding what the 
hacker wants to hide.

Regards,
Mario A. Spinthiras


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------