[unisog] Compromised student system

Lois Lehman LOIS.LEHMAN at asu.edu
Fri Feb 7 16:57:47 GMT 2003


Foundstone's latest version of fport.exe runs on XP.  Check it out at this
url, http://www.foundstone.com/knowledge/proddesc/fport.html
 

fport - Identify unknown open ports and their associated applications
Copyright 2002 (c) by Foundstone, Inc.
http://www.foundstone.com 
----------------------------------------------------------------------------
----

fport supports Windows NT4, Windows 2000 and Windows XP

fport reports all open TCP/IP and UDP ports and maps them to the owning
application. This is the same information you would see using the 'netstat
-an' command, but it also maps those ports to running processes with the
PID, process name and path. Fport can be used to quickly identify unknown
open ports and their associated applications.

Lois Lehman, GSEC
Network Security Manager
College of Liberal Arts & Sciences
Arizona State University
480-965-3139


-----Original Message-----
From: Arnold, Jamie [mailto:harnold at binghamton.edu] 
Sent: Friday, February 07, 2003 9:38 AM
To: 'Lois Lehman'; 'Will Saxon'; Chris Wilson; unisog at sans.org
Subject: RE: [unisog] Compromised student system

Fport does not run on XP.  Use netstat -o instead

-----Original Message-----
From: Lois Lehman [mailto:LOIS.LEHMAN at asu.edu] 
Sent: Friday, February 07, 2003 11:04 AM
To: 'Will Saxon'; Chris Wilson; unisog at sans.org
Subject: RE: [unisog] Compromised student system


There is another utility, fport.exe, from Foundstone that will show you the
application associated with each open port.  Very handy little tool when
looking at a compromised system.

Lois Lehman, GSEC
Network Security Manager
College of Liberal Arts & Sciences
Arizona State University
480-965-3139


-----Original Message-----
From: Will Saxon [mailto:WillS at housing.ufl.edu] 
Sent: Friday, February 07, 2003 7:23 AM
To: Chris Wilson; unisog at sans.org
Subject: RE: [unisog] Compromised student system

Sysinternals.com has a free utility called handle.exe that might help you
out. I think it matches filenames to pids. They have a couple of other free
tools that you could probably use to track this down.

-Will

> -----Original Message-----
> From: Chris Wilson [mailto:chrisw at nipissingu.ca]
> Sent: Thursday, February 06, 2003 2:22 PM
> To: unisog at sans.org
> Subject: [unisog] Compromised student system
> 
> 
> We are curently looking at a student system that is running
> Win XP home. The system seems to be doing alot on port 25. 
> but we have been unable to findout what processes are running 
> on the system
> 
> 
> when the task manager is atempted to be opened it is auto
> closing itsself almost instantly.
> 
> many ports are open when looked at with netstat -ANO
> 
> 


More information about the unisog mailing list