[unisog] Compromised student system

Ben Compton Ben.Compton at sw.edu
Fri Feb 7 17:38:04 GMT 2003


You might want to also check out Active Ports from www.webattack.com.  It
works on Win XP and shows the IP address of the site attached to the port as
well as what process has the port open and where that executable lives on
the system.

BC


-----Original Message-----
From: Arnold, Jamie
To: 'Lois Lehman'; 'Will Saxon'; Chris Wilson; unisog at sans.org
Sent: 2/7/2003 11:38 AM
Subject: RE: [unisog] Compromised student system

Fport does not run on XP.  Use netstat -o instead

-----Original Message-----
From: Lois Lehman [mailto:LOIS.LEHMAN at asu.edu] 
Sent: Friday, February 07, 2003 11:04 AM
To: 'Will Saxon'; Chris Wilson; unisog at sans.org
Subject: RE: [unisog] Compromised student system


There is another utility, fport.exe, from Foundstone that will show you
the
application associated with each open port.  Very handy little tool when
looking at a compromised system.

Lois Lehman, GSEC
Network Security Manager
College of Liberal Arts & Sciences
Arizona State University
480-965-3139


-----Original Message-----
From: Will Saxon [mailto:WillS at housing.ufl.edu] 
Sent: Friday, February 07, 2003 7:23 AM
To: Chris Wilson; unisog at sans.org
Subject: RE: [unisog] Compromised student system

Sysinternals.com has a free utility called handle.exe that might help
you
out. I think it matches filenames to pids. They have a couple of other
free
tools that you could probably use to track this down.

-Will

> -----Original Message-----
> From: Chris Wilson [mailto:chrisw at nipissingu.ca]
> Sent: Thursday, February 06, 2003 2:22 PM
> To: unisog at sans.org
> Subject: [unisog] Compromised student system
> 
> 
> We are curently looking at a student system that is running
> Win XP home. The system seems to be doing alot on port 25. 
> but we have been unable to findout what processes are running 
> on the system
> 
> 
> when the task manager is atempted to be opened it is auto
> closing itsself almost instantly.
> 
> many ports are open when looked at with netstat -ANO
> 
> 



More information about the unisog mailing list