Security Incidents mailing list archives

Re: NT Compromise

From: Christine Merey <cmerey2 () algorithmics com>
Date: Wed, 19 Dec 2001 16:38:44 -0500

-----Original Message-----
From: Eric Hines [mailto:eric3+ () pitt edu]
Sent: Wednesday, December 19, 2001 2:46 PM
To: incidents () securityfocus com
Subject: NT Compromise

Hey all,

I am responding to several compromised NT boxes and am trying to find a
utility that will allow you to see what program is bound to a particular
port. I think I've seen one that shows what ports are bound to
command.com, but need something similar for other programs/trojans/etc.
Is there something available? Has anyone seen a compromised NT box with
port 6667 open that does not seem to be running an IRCD? Check out the
below snippit from netstat. I've tried connecting to the 6667 port with
MiRC.. Nothing at all! I need to find out what process/application
opened this port. On this note, can anyone recommend a good forensics
toolkit for Windows to be used on compromised machines?

C:\ netstat -an
-- snip --
  TCP    0.0.0.0:6666           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6667           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6668           0.0.0.0:0              LISTENING
-- snap --



Try Arne Vidstrom's inzider to get an "lsof" type of information on NT/2000:
www.ntsecurity.nu/toolbox/inzider, it will tell you port/app mappings.

Secondly, check out www.sysinternals.com - they have a gold mine of free tools 
that will give you the skinny on your NT box - in particular to find what 
this app is, look at: TDIMon for network connections, and Process Explorer 
for all processes running on your system (obviously, if it doesn't show 
your 6667 listener then it's hidden.).

Chris.

Christine Merey
Security Administrator
Toronto, Ontario
cmerey () algorithmics com
PGP Key-ID: 0x880E574A

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

NT Compromise Eric Hines (Dec 19)
- RE: NT Compromise Jignesh Pathak (Dec 19)
  - RE: NT Compromise Matthew Leeds (Dec 19)
- Re: NT Compromise Nexus (Dec 19)
- Re: NT Compromise H C (Dec 20)
- Re: NT Compromise Paulo Braga (Dec 20)
- <Possible follow-ups>
- Re: NT Compromise Christine Merey (Dec 19)
- NT Compromise MALIN, ALEX (PB) (Dec 19)