Penetration Testing mailing list archives

Unknown App

From: "Scott Fuhriman" <fuhrimans () llix net>
Date: Fri, 22 Jul 2005 11:57:43 -0700

 
It is my opinion, I would hope other would agree, that with this particular
issue as originally described the only way to identify and mitigate whatever
is happening is to get local access to the machine and then start performing
some initial forensics like others and myself have suggested by running
utilities that show what processes/PIDs are bound to which ports.  This will
allow you to search for the potentially offending file/executable and do
some more investigation from there.  

Remember however, the biggest concern is that if there is a compromise, the
box typically has to be completely wiped and installed from scratch to
eliminate the possibility of other backdoors/Trojans that may be residing on
your machine.  Many/most rootkits for example have a payload to deliver on
the machine, but also drop various other items and make configuration
changes to allow an attacker other methods to regain access to the
compromised machine.  It all depends on what your findings are and the level
of risk an organization is willing to accept to effectively mitigate.

Many administrators or management, that don't have security training or
mindset, overlook this fact and think they have mitigated the issue when if
fact malicious activity continues to occur or the issue originally
discovered resurfaces.


Scott Fuhriman


-----Original Message-----
From: Sharad Birmiwal [mailto:sharadbirmiwal () gmail com] 
Sent: Friday, July 22, 2005 2:31 AM
To: thenightweighsheavy () gmail com; pen-test () securityfocus com
Subject: Re: Unknown App

i recently discovered some worm on my network that tried to spread a payload
file 'xxxxxxxx' by binding on port 80. it didn't serve a banner or any
webpages, but http://<ip>/xxxxxxxx worked.

sharad birmiwal

On 7/21/05, Scott Fuhriman <fuhrimans () llix net> wrote:


The easiest and fastest approach is to use a port mapping utility like 
Active Ports
(http://www.ntutility.com) or TCPview (www.sysinternals.com) (there 
are others like fport, etc...) which will allow you to see what 
process has port 80 open on the machines.

This will allow you to identify what application/process is utilizing 
that port.



Scott Fuhriman

Current thread:

Unknown App thenightweighsheavy (Jul 21)
- Unknown App Scott Fuhriman (Jul 21)
  - Re: Unknown App Sharad Birmiwal (Jul 22)
    - Unknown App Scott Fuhriman (Jul 22)
- <Possible follow-ups>
- RE: Unknown App Bartholomew, Brian J (Jul 21)
  - Re: Unknown App ilaiy (Jul 21)
    - Re: Unknown App Fabián Gabriel Chiera (Jul 22)
  - RE: Unknown App okrehel (Jul 21)
  - RE: Unknown App Aleksander P. Czarnowski (Jul 21)
    - RE: Unknown App Lyal Collins (Jul 22)
- RE: Unknown App Jarmon, Don R (Jul 21)
- RE: Unknown App Andre Protas (Jul 21)
- RE:Unknown App Jordan Del-Grande (Jul 21)
- RE: Unknown App Womack, Quintin T - Raleigh, NC - Contractor (Jul 21)

(Thread continues...)