[Dshield] Is there a legitimate service named doom?

Al Reust areust at comcast.net
Fri Jun 24 00:05:19 GMT 2005


SG

This a bit late and may have more meat. See below (it covers things that 
"new people" may be waiting for to see how others track things down)... No 
it is not supposed to be a book..

There may be some line wrap, as it is not Outlook, LOL some IP's were 
modified for privacy...

At 10:28 AM 6/23/2005 -0700, you wrote:
>Troubleshooting a windows 2k server, a netstat showed a protocol named
>"doom" listening on port 1035.  The latest virus scans show no infection
>(symantec, mcafee stinger, and trendmicro's housecall) all report clean.
>There's been (so far as I can tell) no slow down in service, increase in
>disk size, or anything out of the ordinary.  It possible that this is a
>normal service as opposed to someone running a game?  How would I track
>down what is spawning this service?
>
>- SG

How to track some of what processes are running and then track down the 
offending file or executable.

It depends on the tools that you have, several have mentioned their/my 
favorites.

fport with the /a switch (Sysinternals part of PSTools)

C:\Tools\Fport-2.0>fport -a
FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com

Pid   Process            Port  Proto Path
656   DkService      ->  31038 TCP   C:\Program Files\Executive 
Software\Diskeeper\DkService.exe
1488  IEXPLORE       ->  2730  TCP   C:\Program Files\Internet 
Explorer\IEXPLORE.EXE
1488  IEXPLORE       ->  2731  TCP   C:\Program Files\Internet 
Explorer\IEXPLORE.EXE
1488  IEXPLORE       ->  2732  TCP   C:\Program Files\Internet 
Explorer\IEXPLORE.EXE
520   IEXPLORE       ->  2735  TCP   C:\Program Files\Internet 
Explorer\IEXPLORE.EXE
996   MSTask         ->  1025  TCP   C:\PRO\system32\MSTask.exe
8     System         ->  1026  TCP
8     System         ->  139   TCP
8     System         ->  3479  TCP
8     System         ->  445   TCP
1552  boinc          ->  1043  TCP   C:\BOINC\boinc.exe
1076  boincmgr       ->  2033  TCP   C:\BOINC\boincmgr.exe
1464  ccApp          ->  1031  TCP   C:\Program Files\Common Files\Symantec 
Shared\ccApp.exe
444   svchost        ->  135   TCP   C:\PRO\system32\svchost.exe

520   IEXPLORE       ->  1176  UDP   C:\Program Files\Internet 
Explorer\IEXPLORE.EXE
1820  IEXPLORE       ->  1661  UDP   C:\Program Files\Internet 
Explorer\IEXPLORE.EXE
1804  IEXPLORE       ->  1906  UDP   C:\Program Files\Internet 
Explorer\IEXPLORE.EXE
1488  IEXPLORE       ->  2241  UDP   C:\Program Files\Internet 
Explorer\IEXPLORE.EXE
1972  IEXPLORE       ->  2267  UDP   C:\Program Files\Internet 
Explorer\IEXPLORE.EXE
8     System         ->  137   UDP
8     System         ->  138   UDP
8     System         ->  445   UDP
1504  iexplore       ->  2343  UDP   C:\Program Files\Internet 
Explorer\iexplore.exe
272   lsass          ->  4500  UDP   C:\PRO\system32\lsass.exe
272   lsass          ->  500   UDP   C:\PRO\system32\lsass.exe


or

tlist with the -s switch (Microsoft Resource Kit)

C:\Tools\Fport-2.0>tlist -s
    0 System Process
    8 System
  188 SMSS.EXE
  212 CSRSS.EXE       Title:
  208 WINLOGON.EXE    Title: MM Notify Callback
  260 
SERVICES.EXE    Svcs: 
Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,lanmanworkstation,LmHosts,PlugPlay,Prot
ectedStorage,seclogon,TrkWks,Wmi
  272 LSASS.EXE       Svcs:  PolicyAgent,SamSs
  444 svchost.exe     Svcs:  RpcSs
  472 CCSETMGR.EXE    Svcs:  ccSetMgr
  500 CCEVTMGR.EXE    Svcs:  ccEvtMgr
  628 spoolsv.exe     Svcs:  Spooler
  656 DkService.exe   Svcs:  Diskeeper
  676 svchost.exe     Svcs:  EventSystem,Netman,NtmsSvc,RasMan,SENS,TapiSrv
  688 GHOSTS~2.EXE    Svcs:  GhostStartService
  724 NAVAPSVC.EXE    Svcs:  navapsvc
  756 NPROTECT.EXE    Svcs:  NProtectService
  896 nvsvc32.exe     Svcs:  NVSvc
  924 regsvc.exe      Svcs:  RemoteRegistry
  968 SAVSCAN.EXE     Svcs:  SAVScan
  996 mstask.exe      Svcs:  Schedule
1084 NOPDB.exe       Svcs:  Speed Disk service
1132 symlcsvc.exe    Svcs:  Symantec Core LC
1144 ULCDRSvr.exe    Svcs:  UleadBurningHelper
1172 WinMgmt.exe     Svcs:  WinMgmt
1188 svchost.exe     Svcs:  wuauserv
1200 svchost.exe     Svcs:  BITS
  244 explorer.exe    Title: Program Manager
1440 SymTray.exe     Title: SymTray
1240 DrgToDsc.exe    Title: DrgToDsc
1460 point32.exe     Title:
1464 CCAPP.EXE       Title: Norton AntiVirus
1528 PicasaMediaDete Title: Picasa Media Detector
1604 task32.exe      Title:
1612 rundll32.exe    Title: MediaCenter
1632 AcroTray.exe    Title: AcrobatTrayIcon
  392 ABMTSR.EXE      Title: AlbumTsr
1656 WZQKPICK.EXE    Title: About WinZip Quick Pick
  520 IEXPLORE.EXE    Title: Mount St. Helens VolcanoCam - Mount St. Helens 
National Volcanic Monument - Microsoft Intern
et Explorer
1548 TASKMGR.EXE     Title: Windows Task Manager
  640 CMD.EXE         Title: C:\PRO\system32\cmd.exe - tlist -s
1500 Eudora.exe      Title: Eudora
1832 Acrobat.exe     Title: session Window
2196 AOM.exe         Title: AOM
1272 tlist.exe



Some have mentioned netstat and the options that you have under W2K is -a 
which will tell you connections so you then look at the offending port and 
the IP address... In the short term you can block that at your router while 
to determine what is happening via fport or tlist.

C:\Tools\Fport-2.0>netstat -an

Active Connections

   Proto  Local Address          Foreign Address        State
   TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
   TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
   TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING
   TCP    0.0.0.0:1026           0.0.0.0:0              LISTENING
   TCP    0.0.0.0:1043           0.0.0.0:0              LISTENING
   TCP    0.0.0.0:2033           0.0.0.0:0              LISTENING
   TCP    0.0.0.0:2730           0.0.0.0:0              LISTENING
   TCP    0.0.0.0:2731           0.0.0.0:0              LISTENING
   TCP    0.0.0.0:2732           0.0.0.0:0              LISTENING
   TCP    0.0.0.0:2735           0.0.0.0:0              LISTENING
   TCP    0.0.0.0:31038          0.0.0.0:0              LISTENING
   TCP    127.0.0.1:1031         0.0.0.0:0              LISTENING
   TCP    127.0.0.1:1031         127.0.0.1:3518         TIME_WAIT
   TCP    127.0.0.1:1031         127.0.0.1:3520         TIME_WAIT
   TCP    127.0.0.1:1031         127.0.0.1:3522         TIME_WAIT
   TCP    127.0.0.1:1031         127.0.0.1:3524         TIME_WAIT
   TCP    127.0.0.1:1031         127.0.0.1:3527         TIME_WAIT
   TCP    127.0.0.1:1043         127.0.0.1:2033         ESTABLISHED
   TCP    127.0.0.1:2033         127.0.0.1:1043         ESTABLISHED
   TCP    127.0.0.1:3516         127.0.0.1:445          TIME_WAIT
   TCP    192.168.0.3:139        0.0.0.0:0              LISTENING
   TCP    192.168.0.3:139        192.168.0.12:1061      ESTABLISHED
   TCP    192.168.0.3:2730       128.32.18.186:80       CLOSE_WAIT
   TCP    192.168.0.3:2731       128.32.18.152:80       CLOSE_WAIT
   TCP    192.168.0.3:2732       128.32.18.186:80       CLOSE_WAIT
   TCP    192.168.0.3:2735       128.32.18.152:80       CLOSE_WAIT
   TCP    192.168.0.3:3519       663.240.76.10:110       TIME_WAIT
   TCP    192.168.0.3:3521       636.246.210.8:110       TIME_WAIT
   TCP    192.168.0.3:3523       663.246.210.8:110       TIME_WAIT
   TCP    192.168.0.3:3525       663.246.210.8:110       TIME_WAIT
   UDP    0.0.0.0:445            *:*
   UDP    127.0.0.1:1176         *:*
   UDP    127.0.0.1:1661         *:*
   UDP    127.0.0.1:1906         *:*
   UDP    127.0.0.1:2241         *:*
   UDP    127.0.0.1:2267         *:*
   UDP    127.0.0.1:2343         *:*
   UDP    192.168.0.3:137        *:*
   UDP    192.168.0.3:138        *:*
   UDP    192.168.0.3:500        *:*
   UDP    192.168.0.3:4500       *:*


This tells you what your are "hooked to" and what port is/are 
connected/listening...

One other I like on occasions is Listdlls (Sysinternals)

C:\Tools>listdlls -r cmd

ListDLLs v2.25 - DLL lister for Win9x/NT
Copyright (C) 1997-2004 Mark Russinovich
Sysinternals - www.sysinternals.com

------------------------------------------------------------------------------
CMD.EXE pid: 640
Command line: "C:\PRO\system32\cmd.exe"

   Base        Size      Version         Path
   0x4ad00000  0x48000   5.00.2195.6824  C:\PRO\system32\cmd.exe
   0x77f80000  0x7d000   5.00.2195.6899  C:\PRO\system32\ntdll.dll
   0x7c570000  0xb3000   5.00.2195.6946  C:\PRO\system32\KERNEL32.dll
   0x77e10000  0x5f000   5.00.2195.7017  C:\PRO\system32\USER32.dll
   0x77f40000  0x3b000   5.00.2195.6945  C:\PRO\system32\GDI32.dll
   0x7c2d0000  0x62000   5.00.2195.6876  C:\PRO\system32\ADVAPI32.dll
   0x77d30000  0x71000   5.00.2195.6904  C:\PRO\system32\RPCRT4.DLL
   0x78000000  0x45000   6.01.9844.0000  C:\PRO\system32\MSVCRT.dll

C:\Tools>

So if you do "listddls -r doom" it should give the location of the 
offending file and other things that may be loaded that will regenerate 
itself (or other internal hooks).

So with identifying the running process to a file name you do a dir 
"filename" /s to find where it is located. In your case you are only 
concerned with those that are running under services. If you are familiar 
with what is running on a clean newly built system you can narrow the list. 
Then in a pinch you can use "explorer" to go and rename various files that 
may be the offending party.

What I would also recommend it grab a copy of HiJackThis and copy it to the 
machine and run to see what it states is happening. This does a pretty fair 
job ot identifying startup keys that are "not normal."







More information about the list mailing list