Security Basics
(New?) Network Security Model/Terminology Dec 17 2004 03:40AM
John Richard Moser (nigelenki comcast net) (1 replies)
Hidden windows ports, files and services. Dec 17 2004 08:33PM
Mark Reis (mcr2z cs virginia edu) (3 replies)
Hello,

Being at a University, I get to deal with my fair share of compromised
machines. Over the past year or so, I've started to notice that hackers
are getting smarter along with Microsoft making things more complicated
with XP SP2. I'm hoping that other members of this list might be able to
help resolve or know of a work around.

I'm not interested in discussion in how to secure these machines, I do
what I can within the inherent bureaucracy of the system. :)

Hidden files:

One of the most common things I see is hackers hiding a FTP server for
questionable material in the RECYCLER. Assume that I am logged in as the
local administrator, the machine is disconnected from the network, and
explorer has been set to show all files. The offending process has been
found and removed, and I'd like to analyze the ftp server. The default
behavior of Windows XP is to hide the contents of the C:\RECYCLER\UID.
Prior to XP SP2, I used to be able to go through the c$ share and see
the contents via \\machine\c$\recycler\UID. However with XP SP2, this
option was removed. Ultimately, I now need to download and use cygwin to
list the directory contents.

Does anyone know how to get XP to show *everything* - The same thing
applies to XP hiding the IE cache.

Hidden Process:

A machine was recently compromised and the only way I was aware of this
was by doing an nmap port scan of the system. NMAP 3.75 showed a ftp
server on a non-standard port. Using ncftp, I was able to connect to
this server.

ncftp -P 1475 compromised machine -u anonymous
NcFTP 3.1.7 (Jan 07, 2004) by Mike Gleason (http://www.NcFTP.com/contact/).
Connecting to ....

FTP Server ready.
Login incorrect.

Sleeping 20 seconds...

However, when in front of the machine, I've run Active Ports, Fport and
TCPView. None of which list a process as listening on that port. I even
downloaded fresh version of each and tried again. No luck. This is quite
disturbing...

Does anyone have a suggestion on how to determine what process this is?

Thank you,
Mark Reis

[ reply ]
Re: Hidden windows ports, files and services. Dec 20 2004 09:02PM
Charles Otstot (charles otstot ncmail net)
Re: Hidden windows ports, files and services. Dec 20 2004 08:53PM
Michael Cecil (macecil comcast net)
Re: Hidden windows ports, files and services. Dec 20 2004 07:40PM
Egemen Tas (egemen tas gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus