[unisog] Compromised student system

Arnold, Jamie harnold at binghamton.edu
Fri Feb 7 16:38:20 GMT 2003

Fport does not run on XP.  Use netstat -o instead

-----Original Message-----
From: Lois Lehman [mailto:LOIS.LEHMAN at asu.edu] 
Sent: Friday, February 07, 2003 11:04 AM
To: 'Will Saxon'; Chris Wilson; unisog at sans.org
Subject: RE: [unisog] Compromised student system

There is another utility, fport.exe, from Foundstone that will show you the
application associated with each open port.  Very handy little tool when
looking at a compromised system.

Lois Lehman, GSEC
Network Security Manager
College of Liberal Arts & Sciences
Arizona State University

-----Original Message-----
From: Will Saxon [mailto:WillS at housing.ufl.edu] 
Sent: Friday, February 07, 2003 7:23 AM
To: Chris Wilson; unisog at sans.org
Subject: RE: [unisog] Compromised student system

Sysinternals.com has a free utility called handle.exe that might help you
out. I think it matches filenames to pids. They have a couple of other free
tools that you could probably use to track this down.


> -----Original Message-----
> From: Chris Wilson [mailto:chrisw at nipissingu.ca]
> Sent: Thursday, February 06, 2003 2:22 PM
> To: unisog at sans.org
> Subject: [unisog] Compromised student system
> We are curently looking at a student system that is running
> Win XP home. The system seems to be doing alot on port 25. 
> but we have been unable to findout what processes are running 
> on the system
> when the task manager is atempted to be opened it is auto
> closing itsself almost instantly.
> many ports are open when looked at with netstat -ANO

More information about the unisog mailing list