find process using hidden port

Discussion in 'Trojan Defence Suite' started by jungle, Aug 3, 2004.

Thread Status:
Not open for further replies.
  1. jungle

    jungle Registered Member

    Joined:
    Aug 3, 2004
    Posts:
    2
    A user had a number of instances of serv-u ftp server on an XP pro
    machine. I removed all the obvious ones. I ran tds3 the locahost
    port scan and it turned up a high number tcp port open. I tried telnetting
    to that port and it was another serv-u ftp server. But the problem is,
    no process shows up anywhere associated with that port. I tried netstat -an
    and fport and neither one showed that port being used. But clearly it was.
    What can I do to find the program that is doing this and remove it?
    I tried the port explorer program it and also did not show anything
    using that port. Does that mean it's a driver perhaps?
     
  2. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Disregard, see Gavin's post below
     
    Last edited: Aug 4, 2004
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    It could possibly be using a rootkit style process hider, you could run ASViewer below, in Safe Mode

    Be sure all autostart locations are showing (show drivers etc) and then save a log to email us at support - or attach it here. Check it for personal information if you are going to attach it
     
  4. md411

    md411 Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    24
    What or where can i get this ASViewer?
     
  5. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
  6. bebongbong

    bebongbong Guest

    there are some entries starting with \??\
    "\??\C:\windows\system32\drivers\procguard.sys"
    What does it mean differently from others shown normally as paths.
    How to doubl/know exist of windows rootkits on a windows box?
    thx.
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi bebongbong, Did you post your ASviwer text file to support@diamondcs.com for analysis as requested?
     
  8. jungle

    jungle Registered Member

    Joined:
    Aug 3, 2004
    Posts:
    2
    I finally found out what it was: hackerdefender
    There is a trick to seeing it which is to map a
    drive from another machine to an administrative
    share on the compromised machine. The trojan
    cannot hide files as well when it is access via
    a share.
    This key was visible via asviewer:
    HKLM\System\CurrentControlSet\Services\TskSrv\ C:\WINDOWS\system32\hxdefsvchst.exe

    One can search the mapped drive for files that start out hxdef. I am told that removing its ini file and rebooting
    will stop the hiding actions of hackerdefender and then it can be removed. Some associates told me that
    this trojan is often accompanied by something called wolff.

    I am told that norton can now detect it. But I doubt that it can running on the same machine as the rootkit.
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    TDS would see it too now for you?
    Indeed getting thaqt ini file out should be the first step to unhide it and make it workless to start with.
    You might like to post your ASViewer log for more nasties, or if you like the HJT log.
     
Thread Status:
Not open for further replies.