[Dshield] Strange Windows Behavior
ltr at isc.upenn.edu
Wed Jan 24 09:48:17 GMT 2007
You could always try and boot from a Knoppix CD and look at the files in the
Windows, System and System32 directories. We use HELIX which has a bunch of
forensics tools included. http://www.e-fense.com/helix/
A few other things you might try.
Perform a full nmap scan from a remote machine and then do a netstat -nao on
the problem machine and compare the results. If a port shows up on the nmap
that isn't showing up locally it may indicate something hiding.
Use REG.Exe to remotely enumerate 'run' section of the registry.
reg query \\ip\HKLM\Software\Microsoft\Windows\currentversion\run
You can also try connecting to the system with 'computer manager' and
enumerate the services remotely.
A lot of rootkits don't seem to hide from remote enumeration for the most
Also try LADS to search for Alternative Data Streams
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Jon R. Kibler
Sent: Tuesday, January 23, 2007 9:46 AM
To: General DShield Discussion List
Subject: [Dshield] Strange Windows Behavior
I have a client that has a few of apparently infected systems, but I cannot
find anything wrong. All are Win XP/SP2, fully patched. I have run a full
nmap scan (all 64K TCP and UDP ports), sniffed the network for any bogus
traffic, ran spybot, hijackthis, AV, RootKitRevealer, netstat, fport,
processexplorer, etc. and found nothing unexpected.
Following Paul Marsh's posting, I looked for a 'kdnjh.exe' file but found
none. (Paul, was this file the 'wareout' file?) I have not run fixwareout,
and that may be my next step unless someone can give me some better ideas.
System 1: Runs slow. Task Manager shows a consistent 15% to 25% CPU
utilization on the Performance tab, but shows the system idle process
consuming 98% to 99% of the CPU on the Processes tab. Apparently it has a
hidden process, but what and where? Cannot really take this system down and
rebuild until after all of the EOY processing is completed.
Systems 2-6: Runs a ktelnet application for industry-specific software.
Initially, systems kept dropping their telnet sessions at random. Switch
logs would show a 5 to 10 second period between logging 'protocol down' and
'protocol up' for the system that lost its telnet session, thus it appears
the telnet session drops because the network connection drops. At present,
systems are 'winking out' (screen goes solid black [sometimes solid white]
and even mouse cursor disappears) at the same time the network connection
bites the dust. If this was only one system, I would thought it was a
hardware issue, but it is 5 systems and it happens at random and to usually
only one system at a time.
Other than nuke the boxes and rebuild (which could not be done until the
weekend for systems 2-6, or until Feb for system 1), I haven't a clue where
to proceed from here.
Jon R. Kibler
Chief Technical Officer
Charleston, SC USA
Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.
More information about the list