[unisog] Compromised student system
LOIS.LEHMAN at asu.edu
Fri Feb 7 16:03:44 GMT 2003
There is another utility, fport.exe, from Foundstone that will show you the
application associated with each open port. Very handy little tool when
looking at a compromised system.
Lois Lehman, GSEC
Network Security Manager
College of Liberal Arts & Sciences
Arizona State University
From: Will Saxon [mailto:WillS at housing.ufl.edu]
Sent: Friday, February 07, 2003 7:23 AM
To: Chris Wilson; unisog at sans.org
Subject: RE: [unisog] Compromised student system
Sysinternals.com has a free utility called handle.exe that might help you
out. I think it matches filenames to pids. They have a couple of other free
tools that you could probably use to track this down.
> -----Original Message-----
> From: Chris Wilson [mailto:chrisw at nipissingu.ca]
> Sent: Thursday, February 06, 2003 2:22 PM
> To: unisog at sans.org
> Subject: [unisog] Compromised student system
> We are curently looking at a student system that is running
> Win XP home. The system seems to be doing alot on port 25.
> but we have been unable to findout what processes are running
> on the system
> when the task manager is atempted to be opened it is auto
> closing itsself almost instantly.
> many ports are open when looked at with netstat -ANO
More information about the unisog