On Mon, 20 Sep 1999, Lamont Granquist wrote:
> On Sat, 18 Sep 1999, Max Vision wrote:
> > specify -F). You should limit your scan to the services that you can,
> > youself, explain why they are interesting or should be checked for.
>
> Is this really the best idea? If you're looking for Windoze trojans,
> then they could be listening on any port. The thing to do it would
> seem is to -sS scan for port 135/139
> (fragile-stack-friendly-os-detection) and then scan the entire
> portrange on these machines looking for trojans. Then ideally you
> save this info into a file and run a scan every N time units and
> compare the results with previous information.
>
This is a good idea :) Based on that it is far more likely that you will
find such trojans on a Windows user's PC, this approach could speed your
search considerably.
> And I've got a question as to how you go about doing forensics to
> determine if a WinNT/Win9X box has been trojaned when you find a really
> suspicious looking open port on the box? For example, there's this Win
> box we've got on our network (which i don't admin) and which is listening
> on port 4692/udp. The person who uses this box downloads a lot of stuff
> from the net. I suspect this is a possible trojan, but where the hell do
> i go from here? This might be getting a little afield of nmap discussion,
> but i think its appropriate because it'd be good to be able to back up
> nmap scans with actual solid evidence on the machine that it has been
> compromised.
>
I've run across several lsof type tools for NT but when I saw your post
the only one I could find is Inzider:
http://www.bahnhof.se/~winnt/toolbox/inzider/index.html
If you're ever looking for general trouble with an NT machine, the
Forensic Toolkit by NTObjectives might be worth a look:
http://www.ntobjectives.com/prod03.htm (includes how-to)
Maybe also FileMon by Sysinternals:
http://www.sysinternals.com/filemon.htm
Max
Received on Sep 21 1999
Intro
