> > -----Original Message----- > From: Eric Hines [mailto:eric3+@pitt.edu] > Sent: Wednesday, December 19, 2001 2:46 PM > To: incidentsat_private > Subject: NT Compromise > > > Hey all, > > I am responding to several compromised NT boxes and am trying to find a > utility that will allow you to see what program is bound to a particular > port. I think I've seen one that shows what ports are bound to > command.com, but need something similar for other programs/trojans/etc. > Is there something available? Has anyone seen a compromised NT box with > port 6667 open that does not seem to be running an IRCD? Check out the > below snippit from netstat. I've tried connecting to the 6667 port with > MiRC.. Nothing at all! I need to find out what process/application > opened this port. On this note, can anyone recommend a good forensics > toolkit for Windows to be used on compromised machines? > > C:\ netstat -an > -- snip -- > TCP 0.0.0.0:6666 0.0.0.0:0 LISTENING > TCP 0.0.0.0:6667 0.0.0.0:0 LISTENING > TCP 0.0.0.0:6668 0.0.0.0:0 LISTENING > -- snap -- > Try Arne Vidstrom's inzider to get an "lsof" type of information on NT/2000: www.ntsecurity.nu/toolbox/inzider, it will tell you port/app mappings. Secondly, check out www.sysinternals.com - they have a gold mine of free tools that will give you the skinny on your NT box - in particular to find what this app is, look at: TDIMon for network connections, and Process Explorer for all processes running on your system (obviously, if it doesn't show your 6667 listener then it's hidden.). Chris. Christine Merey Security Administrator Toronto, Ontario cmereyat_private PGP Key-ID: 0x880E574A ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Dec 19 2001 - 15:53:13 PST