Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Unknown App

from [Scott Fuhriman] Network Security [Permanent Link]
Subject: Unknown App
Date: Fri, 22 Jul 2005 11:57:43 -0700 
 
It is my opinion, I would hope other would agree, that with this particular
issue as originally described the only way to identify and mitigate whatever
is happening is to get local access to the machine and then start performing
some initial forensics like others and myself have suggested by running
utilities that show what processes/PIDs are bound to which ports.  This will
allow you to search for the potentially offending file/executable and do
some more investigation from there.  

Remember however, the biggest concern is that if there is a compromise, the
box typically has to be completely wiped and installed from scratch to
eliminate the possibility of other backdoors/Trojans that may be residing on
your machine.  Many/most rootkits for example have a payload to deliver on
the machine, but also drop various other items and make configuration
changes to allow an attacker other methods to regain access to the
compromised machine.  It all depends on what your findings are and the level
of risk an organization is willing to accept to effectively mitigate.

Many administrators or management, that don't have security training or
mindset, overlook this fact and think they have mitigated the issue when if
fact malicious activity continues to occur or the issue originally
discovered resurfaces.


Scott Fuhriman


-----Original Message-----
From: Sharad Birmiwal [mailto:sharadbirmiwal@gmail.com] 
Sent: Friday, July 22, 2005 2:31 AM
To: thenightweighsheavy@gmail.com; pen-test@securityfocus.com
Subject: Re: Unknown App

i recently discovered some worm on my network that tried to spread a payload
file 'xxxxxxxx' by binding on port 80. it didn't serve a banner or any
webpages, but http://<ip>/xxxxxxxx worked.

sharad birmiwal

On 7/21/05, Scott Fuhriman <fuhrimans@llix.net> wrote:


The easiest and fastest approach is to use a port mapping utility like 
Active Ports
(http://www.ntutility.com) or TCPview (www.sysinternals.com) (there 
are others like fport, etc...) which will allow you to see what 
process has port 80 open on the machines.

This will allow you to identify what application/process is utilizing 
that port.



Scott Fuhriman
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Pen-Testing via TOR, Hagen, Eric
Next by Date:  Re: VoIP testing Help, James Moorer
Previous by Thread:  Re: Unknown App, Sharad Birmiwal
Next by Thread:  RE: Unknown App, Bartholomew, Brian J
Indexes:  [Date] [Thread] [Top] [All Lists]