Security Basics mailing list archives

RE: Hidden windows ports, files and services.


From: "Paul Marsh" <pmarsh () nmefdn org>
Date: Tue, 15 Feb 2005 10:50:34 -0500

Alex:

        Are you running IIS on the system in question?  Are you running
FTP along with IIS?  If you don't need them add/remove programs,
add/remove Windows Components uncheck IIS and click next, reboot and do
a netstat -bano and see what's listening now.  What kind of a internet
connection do you have, broadband maybe?

Thanx, Paul

-----Original Message-----
From: Alex Yan [mailto:drcyyan () yahoo com] 
Sent: Tuesday, February 15, 2005 10:17 AM
To: Paul Marsh; security-basics () securityfocus com
Subject: RE: Hidden windows ports, files and services.

Hi Paul,

I did run TASKLIST before without "/SVC" The processes are invisible to
this command.

Last night, I checked Recycler, system32, system, etc, but didn't get
much.

I run TCPVIEW and got two set of interesting entries with non-existent:

<non-existent>:348  local:ftp    LISTENING
<non-existent>:348  local:https  LISTENING
<non-existent>:348  local:6101   LISTENING

<non-existent>:1740  local:ftp    LISTENING
<non-existent>:1740  local:https  LISTENING
<non-existent>:1740  local:6101   LISTENING

These can be seen from "netstat" too. But I can't kill these processes
using TCPVIEW. I tried to kill other regular processes, it's OK.

Using "msconfig", I disabled sys.ini and win.ini, stopped to load
startup programs and disabled all services loading except those from
Microsoft for a clean boot. But these processes are still there.

I also disabled some MS services like IIS, Plug/Play.
Web Client, etc. No luck. After I disabled "DHCP", processes are gone.
But after "DHCP" was disabled, almost all other processes are gone too.

Next step, maybe I should do something on registry.

Thanks
Alex

 
--- Paul Marsh <pmarsh () nmefdn org> wrote:

 Alex:

      This is very interesting and hopefully you can do a little more 
investigation before you nuke and rebuild.  You did an netstat -bano 
and found two processes running listening on port 21.
Try a TASKLIST /SVC
at a command prompt to see if you can identify the executable.  I'd do

a complete port scan on the system to see what else is happening try 
NMAP http://www.insecure.org/nmap/ against your system on all 65K 
ports TCP and UDP.  I'd also run Ethereal http://www.ethereal.com/ on 
the system to see if anything is trying to call home or if anything is

trying to get in.  I'm hoping with the list of listening ports and 
capturing some traffic we can identify what's cook'in.  Another good 
source of info can be found at

http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_an
d_Rootkit_Tools_in_a_Windows_Environment.html

      Please keep us up to date as to what you find.

Thanx

-----Original Message-----
From: Alex Yan [mailto:drcyyan () yahoo com]
Sent: Monday, February 14, 2005 2:39 PM
To: H Carvey; security-basics () securityfocus com
Subject: Re: Hidden windows ports, files and services.

Hi all,

Thanks a lot for your help.
On weekend I tried some suggested options, but still didn't get much 
yet.

Scanned the system using the latest Norton AV and Stinger in the safe 
mode. Nothing came out.

Run "netstat -baon". It gives process IDs and program names for other 
processes. For the processes related to port 21, it says "No ownership

information can be found".

Tried fport, cport, process explorer, etc, but no luck.

"telnet 127.0.0.1 21" gives prompt "220 ." and then times out in 15 
seconds. No telnet service was found in Windows service list.

Tonight I will follow the Mark's suggestions step by step and see if I

can get something. I will also try other options. If anything came 
out, I will let you know.

I am a software developer, more on Unix, not so familiar with Windows 
registry and all kinds of services and processes on XP. If I can not 
find the problem and fix it, I have to reformat the system. But even 
after reformating, there is still a chance that the system could not 
be totally clean, because I have to restore some critical data from 
the backup.

Thanks again.
Alex




__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 


Current thread: