[unisog] Compromised student system

Lois Lehman LOIS.LEHMAN at asu.edu
Fri Feb 7 16:03:44 GMT 2003

There is another utility, fport.exe, from Foundstone that will show you the
application associated with each open port.  Very handy little tool when
looking at a compromised system.

Lois Lehman, GSEC
Network Security Manager
College of Liberal Arts & Sciences
Arizona State University

-----Original Message-----
From: Will Saxon [mailto:WillS at housing.ufl.edu] 
Sent: Friday, February 07, 2003 7:23 AM
To: Chris Wilson; unisog at sans.org
Subject: RE: [unisog] Compromised student system

Sysinternals.com has a free utility called handle.exe that might help you
out. I think it matches filenames to pids. They have a couple of other free
tools that you could probably use to track this down.


> -----Original Message-----
> From: Chris Wilson [mailto:chrisw at nipissingu.ca]
> Sent: Thursday, February 06, 2003 2:22 PM
> To: unisog at sans.org
> Subject: [unisog] Compromised student system
> We are curently looking at a student system that is running 
> Win XP home. The system seems to be doing alot on port 25. 
> but we have been unable to findout what processes are running 
> on the system
> when the task manager is atempted to be opened it is auto 
> closing itsself almost instantly.
> many ports are open when looked at with netstat -ANO 

More information about the unisog mailing list