Security Basics mailing list archives
RE: Hidden windows ports, files and services.
From: "Paul Marsh" <pmarsh () nmefdn org>
Date: Tue, 15 Feb 2005 10:50:34 -0500
Alex: Are you running IIS on the system in question? Are you running FTP along with IIS? If you don't need them add/remove programs, add/remove Windows Components uncheck IIS and click next, reboot and do a netstat -bano and see what's listening now. What kind of a internet connection do you have, broadband maybe? Thanx, Paul -----Original Message----- From: Alex Yan [mailto:drcyyan () yahoo com] Sent: Tuesday, February 15, 2005 10:17 AM To: Paul Marsh; security-basics () securityfocus com Subject: RE: Hidden windows ports, files and services. Hi Paul, I did run TASKLIST before without "/SVC" The processes are invisible to this command. Last night, I checked Recycler, system32, system, etc, but didn't get much. I run TCPVIEW and got two set of interesting entries with non-existent: <non-existent>:348 local:ftp LISTENING <non-existent>:348 local:https LISTENING <non-existent>:348 local:6101 LISTENING <non-existent>:1740 local:ftp LISTENING <non-existent>:1740 local:https LISTENING <non-existent>:1740 local:6101 LISTENING These can be seen from "netstat" too. But I can't kill these processes using TCPVIEW. I tried to kill other regular processes, it's OK. Using "msconfig", I disabled sys.ini and win.ini, stopped to load startup programs and disabled all services loading except those from Microsoft for a clean boot. But these processes are still there. I also disabled some MS services like IIS, Plug/Play. Web Client, etc. No luck. After I disabled "DHCP", processes are gone. But after "DHCP" was disabled, almost all other processes are gone too. Next step, maybe I should do something on registry. Thanks Alex --- Paul Marsh <pmarsh () nmefdn org> wrote:
Alex: This is very interesting and hopefully you can do a little more investigation before you nuke and rebuild. You did an netstat -bano and found two processes running listening on port 21. Try a TASKLIST /SVC at a command prompt to see if you can identify the executable. I'd do
a complete port scan on the system to see what else is happening try NMAP http://www.insecure.org/nmap/ against your system on all 65K ports TCP and UDP. I'd also run Ethereal http://www.ethereal.com/ on the system to see if anything is trying to call home or if anything is
trying to get in. I'm hoping with the list of listening ports and capturing some traffic we can identify what's cook'in. Another good source of info can be found at
http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_an
d_Rootkit_Tools_in_a_Windows_Environment.html Please keep us up to date as to what you find. Thanx -----Original Message----- From: Alex Yan [mailto:drcyyan () yahoo com] Sent: Monday, February 14, 2005 2:39 PM To: H Carvey; security-basics () securityfocus com Subject: Re: Hidden windows ports, files and services. Hi all, Thanks a lot for your help. On weekend I tried some suggested options, but still didn't get much yet. Scanned the system using the latest Norton AV and Stinger in the safe mode. Nothing came out. Run "netstat -baon". It gives process IDs and program names for other processes. For the processes related to port 21, it says "No ownership
information can be found". Tried fport, cport, process explorer, etc, but no luck. "telnet 127.0.0.1 21" gives prompt "220 ." and then times out in 15 seconds. No telnet service was found in Windows service list. Tonight I will follow the Mark's suggestions step by step and see if I
can get something. I will also try other options. If anything came out, I will let you know. I am a software developer, more on Unix, not so familiar with Windows registry and all kinds of services and processes on XP. If I can not find the problem and fix it, I have to reformat the system. But even after reformating, there is still a chance that the system could not be totally clean, because I have to restore some critical data from the backup. Thanks again. Alex
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Current thread:
- RE: Hidden windows ports, files and services., (continued)
- RE: Hidden windows ports, files and services. Nick Duda (Feb 11)
- Re: Hidden windows ports, files and services. Security (Feb 11)
- Re: Hidden windows ports, files and services. Varun Pitale (Feb 14)
- Re: Hidden windows ports, files and services. Security (Feb 11)
- RE: Hidden windows ports, files and services. Doug . Janelle (Feb 11)
- Re: Hidden windows ports, files and services. H Carvey (Feb 14)
- Re: Hidden windows ports, files and services. Alex Yan (Feb 14)
- Re: Hidden windows ports, files and services. Mario Pascucci (Feb 15)
- Re: Hidden windows ports, files and services. Security (Feb 17)
- Re: Hidden windows ports, files and services. Alex Yan (Feb 14)
- RE: Hidden windows ports, files and services. Nick Duda (Feb 11)
- RE: Hidden windows ports, files and services. Paul Marsh (Feb 15)
- RE: Hidden windows ports, files and services. Alex Yan (Feb 15)
- RE: Hidden windows ports, files and services. Paul Marsh (Feb 15)
- RE: Hidden windows ports, files and services. Alex Yan (Feb 15)
- RE: Hidden windows ports, files and services. Alex Yan (Feb 15)
- RE: Hidden windows ports, files and services. Paul Marsh (Feb 15)
- Re: Hidden windows ports, files and services. H Carvey (Feb 17)