14 replies to this topic

[coding_monkey]

When I do a netstat I can see suspicious entries, like:

p1138-ipbf08kobeminato.hyogo.ocn.ne.jp:1427

I'd like to find out what process is running that's made that connection - I think I might have an open proxy installed by some virus or something.

I search the forums and someone said netstat -o, but there's no -o option for windows 2000. Appart from eathereal, is there another way to work out what process is doing this?

[Merk]

http://www.cotse.com...nNT/inzider.exe

Like lsof for NT.

http://www.sysintern...es/PsTools.html

Windows probably dosen't handle their sockets like files, but it's worth a shot. PsTools also has something to list all open files, but that may not include sockets.

Hope that could help, but it seems as though it probably wouldn't.

[coding_monkey]

I see what you meen but i don't think that's what i'm after, thanks anyway.

I found a tool which displays the tcp/udp connections on my pc along with the pid.

It says that 'system' is the process which is opening up this port. That doesn't help me much.

Do I have any other options other than to reinstall the OS?

[tehbizz]

What netstat switches did you use?

Try using `netstat -abv`. It will tell you what port is used along with the PID and all the process involved in that connection.

[coding_monkey]

Well, I'm using windows 2000, so that's not going to work, it doesn't have many switches avilable for netstat but that doesn't matter as I allready found a tool to tell me the PID of the offending process that's running an open proxy / trojan - it's 'system' . I.e. somebody has modified my OS, from the look of it. No idea how, maybe some crappy piece of software I was trying out, probably 'AccessDiver' - which I was using to test my web server. This seems to have installed an open proxy back door. I can tell because random Polish and Japanese people seem to be connecting to my box as soon as I boot up and before I even load any apps.

I've been assimilated.

I will have a go at removing it but it's starting to look like my only option is to re-install 2000, or better yet... Linux, on my laptop.

Interestingly, my Sophos virus scanner didn't detect anything and RootKitRevealer said the system was clean.

I did scan my system for what apps were selected to start automatically and there were a few interesting ones that seemed to be 'file not found's... suspicious.

[Binary Hobo]

I've been assimilated. 

Admit it, you said that just so you could use that smilie.

[SUB-S0NIX]

If your system is being used as a proxy to relay data. They why don't you load up a packet sniffer and log packets? You never know what you could "log" upon!

[coding_monkey]

Heh... I admit it...

About logging traffic.... that occured to me but I'm more concerned with avoiding letting my system be used for illegal activity (say someone uses it to download illegal pr0n or hack someone's bank or something) or activity which will get my ip address black listed.

I am tempted to install a honey pot on that ip address though and I'm definately going to be reporting all the polish script kiddies because I'm getting TONES of traffic from those n00bs.

Edited by coding_monkey, 15 November 2005 - 09:27 AM.

[sardonyx]

This was a good post - Got me wondering about my own server 2003 box. netstat -a dumped this info:

Active Connections

Proto Local Address Foreign Address State
TCP server:ftp server:0 LISTENING
TCP server:smtp server:0 LISTENING
TCP server:http server:0 LISTENING
TCP server:pop3 server:0 LISTENING
TCP server:epmap server:0 LISTENING
TCP server:microsoft-ds server:0 LISTENING
TCP server:1029 server:0 LISTENING
TCP server:1030 server:0 LISTENING
TCP server:1031 server:0 LISTENING
TCP server:1032 server:0 LISTENING
TCP server:3389 server:0 LISTENING
TCP server:1040 server:0 LISTENING
TCP server:netbios-ssn server:0 LISTENING
UDP server:microsoft-ds *:*
UDP server:isakmp *:*
UDP server:1026 *:*
UDP server:1037 *:*
UDP server:3456 *:*
UDP server:4500 *:*
UDP server:ntp *:*
UDP server:3456 *:*
UDP server:ntp *:*
UDP server:netbios-ns *:*
UDP server:netbios-dgm *:*

Now i understand the first 13 entries are enabled and listening because of the services i have setup on the box, what about the other entries? Marked with *.*, are these ports open i assume? are they connected or listening also? Why dont they have a "foreign address" ?

Also, say you did notice that they were routing traffic thru your box, what honeypot for windows could you setup? I've never used a honeypot and i'm just interested what they can do for you.

[matt]

Use TCPView to see whats using it. http://www.sysintern...es/TcpView.html



Use Filemon to see ALL processes running. See what files are being accessed. If you can, delete them.

http://www.sysintern...es/Filemon.html

[coding_monkey]

This was a good post - Got me wondering about my own server 2003 box.  netstat -a dumped this info:

Active Connections

  Proto  Local Address          Foreign Address        State
  ...

Now i understand the first 13 entries are enabled and listening because of the services i have setup on the box, what about the other entries?  Marked with *.*, are these ports open i assume? are they connected or listening also?  Why dont they have a "foreign address" ?

Also, say you did notice that they were routing traffic thru your box, what honeypot for windows could you setup?  I've never used a honeypot and i'm just interested what they can do for you.

Holy Phjear Batman! Unless you're running a webserver, ftp server, mailserver and proxy on the same box *deliberately*, I'd be a bit concerned about that.

They don't have any foriegn addresses right now because nobody is connected. This might meen that nobody has found your system yet, or maybe that you're behind a decent firewall somewhere (maybe your router)... or not, maybe the kind of people that connect to you are just in bed right now.

The ports in the 1000s are probably a proxy.

You also have something called ISAKMP on your box, which accoridng to google: 'defines procedures and packet formats to establish, negotiate, modify and delete Security Associations' - did you install this? Sounds like some sort of remote management tool to me, which can be used for good or 3vil.

You also have netBios enabled - which is bad, because it's very insecure and people can get into your box that way.

It also looks like you've got DNS installed on your machine.

All in all, it looks like you've been assimilated too.

As for honey pots.... get your system fixed first but when you're done, I'd suggest getting a sacraficial box, something with nothing valuable on it and using that as a honey pot, not your main system.

There's a lot on honey pots in the binrev forums, just search for honeypot. I've played around with netcat to try to make it a honeypot, but it crashed. When I get time, I'll have another go later.

Edited by coding_monkey, 16 November 2005 - 03:56 AM.

[coding_monkey]

Use TCPView to see whats using it. http://www.sysintern...es/TcpView.html



Use Filemon to see ALL processes running. See what files are being accessed. If you can, delete them.

http://www.sysintern...es/Filemon.html

Thanks for the tool link - usefull. Unfortunately, I can't fix my system if the kernel's been compromised. You can't delete the system process. I tried the windows 'repair' option but that didn't seem to do jack and when I rebooted, I still got loads of people connecitng to me again.

So, I reinstalled my OS again and ordered a copy of Linux on CD from these guys: http://www.cheeplinux.com/

I'd be interested to hear from anyone else who's done a netstat -a and seen some worrying results. I wonder how wide-spread this problem is? I'd noticed my bandwidth reducing and wondered why that was... now i know

[CS5n531]

Use TCPView to see whats using it. http://www.sysintern...es/TcpView.html



Use Filemon to see ALL processes running. See what files are being accessed. If you can, delete them.

http://www.sysintern...es/Filemon.html

Thanks for the tool link - usefull. Unfortunately, I can't fix my system if the kernel's been compromised. You can't delete the system process. I tried the windows 'repair' option but that didn't seem to do jack and when I rebooted, I still got loads of people connecitng to me again.

So, I reinstalled my OS again and ordered a copy of Linux on CD from these guys: http://www.cheeplinux.com/

I'd be interested to hear from anyone else who's done a netstat -a and seen some worrying results. I wonder how wide-spread this problem is? I'd noticed my bandwidth reducing and wondered why that was... now i know

that suck so much man Hope to see you online again soon.

netstat -o dosent work for 2000? My friends running off that and using it fine.

(Went over there to test it for you )

[tehbizz]

ISAKMP is a component of setting up IPsec and/or a VPN.

[coding_monkey]

ISAKMP is a component of setting up IPsec and/or a VPN.

Cool. So I guess that bit is ok as long as he installed it himself.

Incidentally, while re-installing my OS, I found a good web page to test to see if your ports are in stealth mode or not:

http://www.grc.com/default.htm click on 'shields up!' and it tests to see if your ports are open, closed or stealthed. Obviously 'stealthed' is better because it appears as if you're not there.

I also found out that it's not enough to untick the netbios and file and print sharing on your network card(s), you have to click on 'remove' for those items too!

I dissabled them, ran netstat and the 'shields up' scan and realised they were still open, so I then removed them completely and then strangely, all my ports were appearing as 'stealthed'.