RE: Hidden windows ports, files and services.

[Alex Yan <drcyyan () yahoo com>]

Paul,

I have Verizon DSL with a Linksys router (BEFS41 ?). I
didn't configure it right till last weekend. The
firewall and port blocking were not working properly
before. I did try the XP ftp server and SERV-U ftp.
But I already removed these components. Under IIS,
there are no services running now. As you suggested, I
can try remove IIS component.

Thanks
Alex

--- Paul Marsh <pmarsh () nmefdn org> wrote:

> Alex:
>
>       Are you running IIS on the system in question?  Are
> you running
> FTP along with IIS?  If you don't need them
> add/remove programs,
> add/remove Windows Components uncheck IIS and click
> next, reboot and do
> a netstat -bano and see what's listening now.  What
> kind of a internet
> connection do you have, broadband maybe?
>
> Thanx, Paul
>
> -----Original Message-----
> From: Alex Yan [mailto:drcyyan () yahoo com] 
> Sent: Tuesday, February 15, 2005 10:17 AM
> To: Paul Marsh; security-basics () securityfocus com
> Subject: RE: Hidden windows ports, files and
> services.
>
> Hi Paul,
>
> I did run TASKLIST before without "/SVC" The
> processes are invisible to
> this command.
>
> Last night, I checked Recycler, system32, system,
> etc, but didn't get
> much.
>
> I run TCPVIEW and got two set of interesting entries
> with non-existent:
>
> <non-existent>:348  local:ftp    LISTENING
> <non-existent>:348  local:https  LISTENING
> <non-existent>:348  local:6101   LISTENING
>
> <non-existent>:1740  local:ftp    LISTENING
> <non-existent>:1740  local:https  LISTENING
> <non-existent>:1740  local:6101   LISTENING
>
> These can be seen from "netstat" too. But I can't
> kill these processes
> using TCPVIEW. I tried to kill other regular
> processes, it's OK.
>
> Using "msconfig", I disabled sys.ini and win.ini,
> stopped to load
> startup programs and disabled all services loading
> except those from
> Microsoft for a clean boot. But these processes are
> still there.
>
> I also disabled some MS services like IIS,
> Plug/Play.
> Web Client, etc. No luck. After I disabled "DHCP",
> processes are gone.
> But after "DHCP" was disabled, almost all other
> processes are gone too.
>
> Next step, maybe I should do something on registry.
>
> Thanks
> Alex
>
>  
> --- Paul Marsh <pmarsh () nmefdn org> wrote:
>
> >  Alex:
> >
> >     This is very interesting and hopefully you can do
> a little more 
> > investigation before you nuke and rebuild.  You
> did an netstat -bano 
> > and found two processes running listening on port
> 21.
> > Try a TASKLIST /SVC
> > at a command prompt to see if you can identify the
> executable.  I'd do
>
> > a complete port scan on the system to see what
> else is happening try 
> > NMAP http://www.insecure.org/nmap/ against your
> system on all 65K 
> > ports TCP and UDP.  I'd also run Ethereal
> http://www.ethereal.com/ on 
> > the system to see if anything is trying to call
> home or if anything is
>
> > trying to get in.  I'm hoping with the list of
> listening ports and 
> > capturing some traffic we can identify what's
> cook'in.  Another good 
> > source of info can be found at
http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_an
> > d_Rootkit_Tools_in_a_Windows_Environment.html
> >
> >     Please keep us up to date as to what you find.
> >
> > Thanx
> >
> > -----Original Message-----
> > From: Alex Yan [mailto:drcyyan () yahoo com]
> > Sent: Monday, February 14, 2005 2:39 PM
> > To: H Carvey; security-basics () securityfocus com
> > Subject: Re: Hidden windows ports, files and
> services.
> > Hi all,
> >
> > Thanks a lot for your help.
> > On weekend I tried some suggested options, but
> still didn't get much 
> > yet.
> >
> > Scanned the system using the latest Norton AV and
> Stinger in the safe 
> > mode. Nothing came out.
> >
> > Run "netstat -baon". It gives process IDs and
> program names for other 
> > processes. For the processes related to port 21,
> it says "No ownership
>
> > information can be found".
> >
> > Tried fport, cport, process explorer, etc, but no
> luck.
> > "telnet 127.0.0.1 21" gives prompt "220 ." and
> then times out in 15 
> > seconds. No telnet service was found in Windows
> service list.
> > Tonight I will follow the Mark's suggestions step
> by step and see if I
>
> > can get something. I will also try other options.
> If anything came 
> > out, I will let you know.
> >
> > I am a software developer, more on Unix, not so
> familiar with Windows 
> > registry and all kinds of services and processes
> on XP. If I can not 
> > find the problem and fix it, I have to reformat
> the system. But even 
> > after reformating, there is still a chance that
> the system could not 
> > be totally clean, because I have to restore some
> critical data from 
> > the backup.
> >
> > Thanks again.
> > Alex
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam
> protection around
> http://mail.yahoo.com 



                
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - now with 250MB free storage. Learn more.
http://info.mail.yahoo.com/mail_250