mailing list archives
Re: Hidden windows ports, files and services.
From: Charles Otstot <charles.otstot () ncmail net>
Date: Mon, 20 Dec 2004 16:02:41 -0500
I won't speak to the recycle bin since I haven't tested yet, but I may
be able to help with ID'ing the ftp server.
Most of the tagged servers I've seen run Serv-U ftp. Typically the
scripts for installing will be in a subfolder of the %winroot% folder
(often as a subfolder of the %winroot%\system32\drivers folder). If
someone has gotten smart enough to hide the port, you might check your
services listing. Look for a service which appears legitimate, but in
reality isn't. For example, you may see a service listed as "scvhost" or
which has a legitimate named file in a wrong location (e.g
c:\windows\svchost). Notice that the errors are subtle, so it's easy to
miss. If you find such a service, bintext may help you ID the actual server.
Hope this helps at least a bit.
Mark Reis wrote:
Being at a University, I get to deal with my fair share of compromised
machines. Over the past year or so, I've started to notice that
hackers are getting smarter along with Microsoft making things more
complicated with XP SP2. I'm hoping that other members of this list
might be able to help resolve or know of a work around.
I'm not interested in discussion in how to secure these machines, I do
what I can within the inherent bureaucracy of the system. :)
One of the most common things I see is hackers hiding a FTP server for
questionable material in the RECYCLER. Assume that I am logged in as
the local administrator, the machine is disconnected from the network,
and explorer has been set to show all files. The offending process has
been found and removed, and I'd like to analyze the ftp server. The
default behavior of Windows XP is to hide the contents of the
C:\RECYCLER\UID. Prior to XP SP2, I used to be able to go through the
c$ share and see the contents via \\machine\c$\recycler\UID. However
with XP SP2, this option was removed. Ultimately, I now need to
download and use cygwin to list the directory contents.
Does anyone know how to get XP to show *everything* - The same thing
applies to XP hiding the IE cache.
A machine was recently compromised and the only way I was aware of
this was by doing an nmap port scan of the system. NMAP 3.75 showed a
ftp server on a non-standard port. Using ncftp, I was able to connect
to this server.
ncftp -P 1475 compromised machine -u anonymous
NcFTP 3.1.7 (Jan 07, 2004) by Mike Gleason
Connecting to ....
FTP Server ready.
Sleeping 20 seconds...
However, when in front of the machine, I've run Active Ports, Fport
and TCPView. None of which list a process as listening on that port. I
even downloaded fresh version of each and tried again. No luck. This
is quite disturbing...
Does anyone have a suggestion on how to determine what process this is?