Port being used but no process 'owns' up to it.

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

I have a 2000 server that has had an FTP server installed. You get to
it via port 8899 or 999. A nmap of the server shows those ports.
However if you run ActivePorts, FPort, TCPView, netstat -an, etc., it
does NOT show those ports, let alone the process that has it. I have
looked around for an answer but I cannot find the offending process.

I have seen on another server where there was a process running and it
blocked visibility of files, processes, registry keys, services, etc.
However remotely connected revealed these.

I am stumped on this port problem. Any ideas?

Roger
email: larock 'at' mail.com

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

If the process is not running at the time you run one of those tools, it will not
show a port mapped to it. Did you try Process Explorer also which shows processes in
more detail, not just those used for networking, and shows the ports a process
listens on in properties/tcp-ip. I would also scan for processes running remotely
from another computer using something like PsList. If you have a root kit compromise,
the rouge process may not be apparent from local tools run on the compromised
computer. Autoruns is also good to use to show what processes are run as startup from
many places within the operating system. --- Steve

http://www.sysinternals.com/ntw2k/freeware/pslist.shtml
http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml

"larock" <abc@abc.com> wrote in message
news:hkcbh054bejfguav9rk8ql47okk5np81cn@4ax.com...
> I have a 2000 server that has had an FTP server installed. You get to
> it via port 8899 or 999. A nmap of the server shows those ports.
> However if you run ActivePorts, FPort, TCPView, netstat -an, etc., it
> does NOT show those ports, let alone the process that has it. I have
> looked around for an answer but I cannot find the offending process.
>
> I have seen on another server where there was a process running and it
> blocked visibility of files, processes, registry keys, services, etc.
> However remotely connected revealed these.
>
> I am stumped on this port problem. Any ideas?
>
> Roger
> email: larock 'at' mail.com
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

"larock" <abc@abc.com> wrote in message
news:hkcbh054bejfguav9rk8ql47okk5np81cn@4ax.com...
> I have a 2000 server that has had an FTP server installed. You get to
> it via port 8899 or 999. A nmap of the server shows those ports.
> However if you run ActivePorts, FPort, TCPView, netstat -an, etc., it
> does NOT show those ports, let alone the process that has it. I have
> looked around for an answer but I cannot find the offending process.
>
> I have seen on another server where there was a process running and it
> blocked visibility of files, processes, registry keys, services, etc.
> However remotely connected revealed these.

That would be a Windows root kit. Use the same method [connecting remotely]
to detect this. Scan the hard drive with an anti-virus scanner and/or
inspect the parts of the registry that start up processes whe Windows
starts, as well as the part of the registry that starts up services.
Searching google for RKDetect might be useful as well.

Don't forget to figure out what you neglected to do to properly secure this
system. Probably missing patches, firewall and/or anti-virus.

http://securityadmin.info/faq.asp#harden

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

"larock" <abc@abc.com> wrote in message
news:hkcbh054bejfguav9rk8ql47okk5np81cn@4ax.com...
> I have a 2000 server that has had an FTP server installed. You get to
> it via port 8899 or 999. A nmap of the server shows those ports.
> However if you run ActivePorts, FPort, TCPView, netstat -an, etc., it
> does NOT show those ports, let alone the process that has it. I have
> looked around for an answer but I cannot find the offending process.
>
> I have seen on another server where there was a process running and it
> blocked visibility of files, processes, registry keys, services, etc.
> However remotely connected revealed these.

BTW for Windows root kits like Hacker Defender, you can often rename CMD.EXE
to one of the file names being hidden [such as HXDEFCMD.EXE , or
SERVCMD.EXE] to bypass the root kit. The file will disappear, but you can
still launch it by clicking Start, Run and typing in the full path and file
name where the now hidden file is. Once you do that, anything you run or
launch from that command window, such as fport, should be able to see the
hidden files and ports.

See here for some other suggestions and comments about removing hacker
defender:

http://bagpuss.swan.ac.uk/comms/hxdef.htm

 

[Joe]

Archived from groups: microsoft.public.win2000.security (More info?)

Hey Larock,

Go to regedit!
do a search on "powerful"
Then see what the reference is! If you have any more questions shoot me an email.

L8R,
Joe

larock <abc@abc.com> wrote in message news:<hkcbh054bejfguav9rk8ql47okk5np81cn@4ax.com>...
> I have a 2000 server that has had an FTP server installed. You get to
> it via port 8899 or 999. A nmap of the server shows those ports.
> However if you run ActivePorts, FPort, TCPView, netstat -an, etc., it
> does NOT show those ports, let alone the process that has it. I have
> looked around for an answer but I cannot find the offending process.
>
> I have seen on another server where there was a process running and it
> blocked visibility of files, processes, registry keys, services, etc.
> However remotely connected revealed these.
>
> I am stumped on this port problem. Any ideas?
>
> Roger
> email: larock 'at' mail.com