Hello Eric, That's an interesting problem that you have there. I would say that it is *possible* at this point that you are working on a box that has been compromised (especially when one considers that you are sending from a school email account and one assumes that the machine you are diagnosing is also in that school network). There really isn't a file per se that determines the redirector. The redirector is a logical system for determining whether or not resources on a system need to be found by requesting locally, or requesting remotely. I can't tell you what exactly is running on 6667 (though it could be IRC that just isn't responding because your redirector appears to be broken). If your redirector is broken, then it stands a good chance of breaking other apps. Before you can diagnose this machine further (to determine what the app is on that port) I would say that you need to fix the redirector (usually achieved by reinstalling network drivers and protocols--though a complete restore is also possibly necessary)... of course, if this machine is to be entered in as evidence in some sort of legal case, you'll obviously need to back it up first. As far as all those security logs go, you should consider that since your redirector is likely broken, you machine isn't properly able to serve up any sort of requests (be they netBIOS, NTDS, Kerberos, etc), and is likely logging all of these failed requests as such. Of course, this could also be some other sort of network problem as well... but based on what you're telling me, that's my guess. If you get me a little more input, I can probably produce a little more output for you. Alex 'the bossman' Malin -----Original Message----- From: Eric Hines [mailto:eric3+@pitt.edu] Sent: Wednesday, December 19, 2001 11:46 AM To: incidentsat_private Subject: NT Compromise Hey all, I am responding to several compromised NT boxes and am trying to find a utility that will allow you to see what program is bound to a particular port. I think I've seen one that shows what ports are bound to command.com, but need something similar for other programs/trojans/etc. Is there something available? Has anyone seen a compromised NT box with port 6667 open that does not seem to be running an IRCD? Check out the below snippit from netstat. I've tried connecting to the 6667 port with MiRC.. Nothing at all! I need to find out what process/application opened this port. On this note, can anyone recommend a good forensics toolkit for Windows to be used on compromised machines? C:\ netstat -an -- snip -- TCP 0.0.0.0:6666 0.0.0.0:0 LISTENING TCP 0.0.0.0:6667 0.0.0.0:0 LISTENING TCP 0.0.0.0:6668 0.0.0.0:0 LISTENING -- snap -- 2nd Problem: Does anyone know what the REDIRECTOR in WindowsNT/2000 is? I am seeing a compromised NT box full of such logs in the event/security viewer. Logs have been pasted below. Notice all of the different hostnames/machines its attempting to access. Add 70 something other machines to the below list. What is it and is this a sign of a definate compromise? 12/17/01 1:16:26 PM Rdr Warning None 3013 N/A INTERACT The redirector has timed out a request to READING. 12/17/01 1:15:11 PM Rdr Warning None 3013 N/A INTERACT The redirector has timed out a request to STEELSRV. 12/17/01 1:14:01 PM Rdr Warning None 3013 N/A INTERACT The redirector has timed out a request to PUBLICSAFETY1. 12/17/01 1:12:51 PM Rdr Warning None 3013 N/A INTERACT The redirector has timed out a request to ANITRA-00. 12/17/01 1:10:41 PM Rdr Warning None 3013 N/A INTERACT The redirector has timed out a request to SRFS-PDC. 12/17/01 1:09:31 PM Rdr Warning None 3013 N/A INTERACT The redirector has timed out a request to GODZILLA. 12/17/01 1:08:21 PM Rdr Warning None 3013 N/A INTERACT The redirector has timed out a request to SDMWWW. 12/17/01 1:07:11 PM Rdr Warning None 3013 N/A INTERACT The redirector has timed out a request to EXCHANGE. 12/17/01 1:06:01 PM Rdr Warning None 3013 N/A INTERACT The redirector has timed out a request to PICASSO. 12/17/01 1:04:51 PM Rdr Warning None 3013 N/A INTERACT The redirector has timed out a request to PITT-TV3. 12/17/01 1:03:51 PM Rdr Warning None 3013 N/A INTERACT The redirector has timed out a request to COMPUTERZ. 12/17/01 1:02:36 PM Rdr Warning None 3013 N/A INTERACT The redirector has timed out a request to SDMGENETICS1. 12/17/01 1:01:36 PM Rdr Warning None 3013 N/A INTERACT The redirector has timed out a request to BOHNER2. 12/17/01 1:00:36 PM Rdr Warning None 3013 N/A INTERACT The redirector has timed out a request to CALIBAN. Please advise! Eric ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Dec 19 2001 - 15:57:24 PST