.

backdoor actions

<<

viruz

Jr. Member
Jr. Member

Posts: 50

Joined: Sun Jan 11, 2009 9:08 pm

Post Thu Jun 04, 2009 7:37 pm

backdoor actions

if i may ask, what do you guys do when you notice a backdoor action on your machine, you netstat and see unknown established connections, you find the rootkit and cannot see it, you also look into hiddens files and folders and yet cannot see the backdoor, what do you do?
<<

apollo

Full Member
Full Member

Posts: 146

Joined: Fri Apr 04, 2008 7:44 pm

Post Thu Jun 04, 2009 8:49 pm

Re: backdoor actions

I would start out with a "netstat -ano" in the shell console and look for the pid.  I would then pull up process list and see what the process was.  Once I had the pid, from the console window I might do a 'tasklist /M /FI "PID eq <PID FROM netstat>"' and see if there are any dlls loaded that would possibly cause issues.  I would download sysinternals suite, look at rootkit revealer, and look at the process listing to see what might be hidden from traditional tools.

As far as getting rid of whatever it is, malware bytes anti-malware is a descent place to start.  You say you found the rootkit and can't see it, could you elaborate ?
CISSP, CSSLP, MCSE+Security, MCTS, CCSP, GPEN, GWAPT, GCWN, NOP, OSCP, Security+
<<

viruz

Jr. Member
Jr. Member

Posts: 50

Joined: Sun Jan 11, 2009 9:08 pm

Post Thu Jun 04, 2009 9:03 pm

Re: backdoor actions

thanks for your response, i was doing a research on ircd and bots, i opened a link and my browser was infected and said hiddenwebcamviewer.exe was successfully installed, i ran into a trojan..lol, i did netstat and saw a strange connection, did whois on the ip and aol was the service provider, then i check view hidden files and folders in CP and look at my windows and system32 dir, found nothing, ran m y AV and anti malware, still found nothing with it either..guess it was well packed and crypted, i still run netstat and finds strange connection, just giving me headache.
i hope you understand
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Fri Jun 05, 2009 12:49 am

Re: backdoor actions

Once a rootkit is on your machine, it's tough to see what it's doing.  One easy thing to do is use nmap from another machine and scan your infected box.  The rootkit will likely hook various APIs on your machine, making detection difficult.  If you take the detection task outside your machine, you are in better shape. 
~~~~~~~~~~~~~~
Ketchup
<<

former33t

Full Member
Full Member

Posts: 226

Joined: Sat Feb 14, 2009 12:33 am

Post Fri Jun 05, 2009 6:36 pm

Re: backdoor actions

Ketchup is right.  I do a lot of this for a living and I can honestly say that once you are "rooted" it is REALLY difficult to know that you have a clean system again.  Truly skilled attackers will often leave two backdoors, one much more obvious than the other so they can get back in to critical systems.  If this is just your home machine, then maybe just one backdoor, maybe not.

No joke, if it were me I'd back up my data and rebuild the machine from the ground up.  Just too much bad stuff is possible to leave an attacker on my machine.

If you must have your machine without rebuilding, look at the system from the outside in.  Backdoors have to communicate with the outside world.  They either are called in to or they call out themselves.  Putting a machine where you can listen inbetween the compromised machine and the internet and capturing packets will tell you if it is calling out.  As for calling in, in most simple examples the attacker configures a backdoor that listens on a port.  As ketchup said, fire up nmap and try to connect to every port.  If you see it as open, but a netstat shows it closed, there's your listener.  How to get rid of it is a whole different topic.

Good luck.
Certifications: CREA, MCSE: Security, CCNA, Security+, other junk
<<

viruz

Jr. Member
Jr. Member

Posts: 50

Joined: Sun Jan 11, 2009 9:08 pm

Post Fri Jun 05, 2009 6:59 pm

Re: backdoor actions

thanks for the post, i think its a big hell on my pc, i did as Ketchup said, i ran nmap from a different pc and all probes were bounced by my firewall as it returned all ports were filtered. and still i run netstat and see different connectiosn, some are established, some time_wait, some last_ack and another syn_sent, of unknown  pple.

i think i will have to sniff the traffic and see what happens really as you have said.
thanks
<<

Otter

Newbie
Newbie

Posts: 41

Joined: Tue Jul 03, 2007 1:03 pm

Post Sat Jun 06, 2009 2:43 am

Re: backdoor actions

viruz wrote:thanks for the post, i think its a big hell on my pc, i did as Ketchup said, i ran nmap from a different pc and all probes were bounced by my firewall as it returned all ports were filtered. and still i run netstat and see different connectiosn, some are established, some time_wait, some last_ack and another syn_sent, of unknown  pple.

i think i will have to sniff the traffic and see what happens really as you have said.
thanks


I think you're on the right track.  One thing I recall from my first exposure to incident response:  once you're compromised, that machine can't be trusted to tell you ANYTHING until you fdisk, reformat and reinstall from original readonly media.    Therefore, I totally disagree with any endorsement of any anti-malware cleanup software.  There's no way to know you got "everything" with such tools, particularly with polymorphic payloads that so easily evade signature based detection, or don't leave any traces behind anyway. 

One very passive thing you can do to see what's going on (if it's a home machine) is disconnect all devices but the suspect machine, slap a hub between your cable model or dsl router  and your router/switch, hang a backtrack box (without starting networking and dhcp) off of it,  don't assign an IP to the ethernet interface, and passive listen to the traffic going out of your network with wireshark.    If you can add snort into the mix to analyze things for you on the fly, so much the better.

The problem with netstat on the box... is you don't know if netstat itself has been trojaned to hide connections that are occurring.  Running a statically linked binary off a cd may be better, but if the kernel is sufficiently owned, it may lie to the binary, etc.  It's a bit of a house of cards with respect to trust. 

Good luck, and I hope your efforts are both educational and turn up that it's all much ado about nothing!
<<

viruz

Jr. Member
Jr. Member

Posts: 50

Joined: Sun Jan 11, 2009 9:08 pm

Post Sat Jun 06, 2009 6:25 am

Re: backdoor actions

it is all educational and has nothing to do wit nothing as u specified, i was actually infected and need to get those things out to prevent pple spying on me.
i think i will just rebuild the machine, maybe that will be easy.
<<

former33t

Full Member
Full Member

Posts: 226

Joined: Sat Feb 14, 2009 12:33 am

Post Sat Jun 06, 2009 9:13 am

Re: backdoor actions

To add to Otter's observation:
once you're compromised, that machine can't be trusted to tell you ANYTHING until you fdisk, reformat and reinstall from original readonly media.


It will only get worse.  We're on the verge of computer crime being profitable enough to target specific models of machines for BIOS level malware.  How we'll be detecting those is anyone's guess.

Otter is correct about not trusting netstat.  Even with a known good netstat binary, kernel hooks can hide established network connections.  He's right that you can't trust anything on that machine.
Certifications: CREA, MCSE: Security, CCNA, Security+, other junk
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Sat Jun 06, 2009 12:36 pm

Re: backdoor actions

If you don't have access to EnCase or FTK, one other thing you can try is booting from a Helix or maybe even a Backtrack disc.  Chances are (you can only hope), your rootkit is Windows only.  Mount your drive in Linux, and do a find for any files that were modified / accessed since the last time your computer behaved properly.  Then figure out if those files are legit or if they are part of the rootkit.

Note that this is more of an educational / investigative task.  Chances are, the rootkit is deep in your system and hooked and wrote itself to a few Windows processes and will not go away easily.  It will also have modified a few registry entries (like the Userinit key) that will make your life annoying ever if you manage to remove it.  But, if you are curious to see what it is doing, this is a great exercise in my opinion.  We can even guide you with the Linux commands and tools if you are uncomfortable. 
~~~~~~~~~~~~~~
Ketchup
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Sat Jun 06, 2009 2:42 pm

Re: backdoor actions

I'd definitely second (3rd, 4th, ...?) the call for a rebuild. It's the only way to guarantee a clean system.

But I'd also go with Ketchup's suggest of booting from a Linux distro, might not help you ensure 100% that a system is clean, but it's usually fun to have a play around and do some learning with the infection before rebuilding. If nothing else it's just fun (but I may be a tad on the sad side....)
<<

viruz

Jr. Member
Jr. Member

Posts: 50

Joined: Sun Jan 11, 2009 9:08 pm

Post Sat Jun 06, 2009 9:26 pm

Re: backdoor actions

yea i really appreciate the post, to me it seems more of forensic work and i need to be really really focused to know where actually it is hidden.

Ketchup, i have backtrack mounted and i am dual booting both bt3 and windows, i would not mind if you can assist me with the commands to get me started....i believe getting to know and find the rootkit will actually add to my understand and knowledge rather than rebuilding the system out of fear....for someone to be good in something, challenges has to come coz they are good for knowledge, so i will take this opportunity to learn since i dont have any vital things on the system to be afraid of losing....guiding me through will be absolutely welcomed.

i appreciate your kind gesture, thanks
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Sun Jun 07, 2009 1:56 am

Re: backdoor actions

If you are dual booting backtrack, you are in good shape.  You can mount your NTFS Windows drive with the following steps:

1. find out what drive label you are using and and get a list of partitions on it.  Just run the mount command and it will tell you what's mounted where.  Let's assume that your drive is /dev/sda.

2. run fdisk -l /dev/sda to get a listing of partitions on the drive.  Let's assume that your windows partition is /dev/sda1

3.  Make a directory in the /mnt/ folder for your partion: mkdir /mnt/sda1.  then run the mount command to mount your drive (read only):  mount /dev/sda1 /mnt/sda1 -t ntfs-3g -o ro.  Note that you may get an error about the NTFS system being dirty.  In that case, just add -o force.

The next thing I would do is run the trust find command to look for files that were modified since the when you think you got infected.  Let's say that you go infected two days ago, your find command would look like this:  find /mnt/sda1 -mtime -2 > filestoinvestigate.txt.  The minus 2 indicates 2*24 hours or less from now.

You will get quite a bit of files here.  I would begin by concentrating on the ones found in the WINDOWS folder and subfolders, ones in the temporary folders, ones in the User Profile root directory, and ones in the Common Files folder.  There are other locations to look, but this is a good start. 

This should get you started at pin-pointing the files that could belong to the rootkit. 

One other thing you can try is read up on Autopsy, which is included on Backtrack.  I haven't used it much, but I know it has some nice timeline features that could help you with this.    You can add your entire drive to to Autopsy and it will parse the file system.  I find it a bit cumbersome though. 
~~~~~~~~~~~~~~
Ketchup
<<

viruz

Jr. Member
Jr. Member

Posts: 50

Joined: Sun Jan 11, 2009 9:08 pm

Post Sun Jun 07, 2009 8:47 am

Re: backdoor actions

thanks bro, i will follow the guide now and come back with feedback, thanks



I did the exercise now and here is what i got, does it mean that all this files are infected and corrupted?

bt ~ # find /mnt/hda1 -mtime -5 > hiddenwebcamviewer.exe
find: /mnt/hda1/Documents and Settings/All Users/Application Data/Pure Networks/Platform/networklib.xml: Input/output error
find: /mnt/hda1/Documents and Settings/Koller/Application Data/Free Download Manager/downloads.sav: Input/output error
find: /mnt/hda1/Documents and Settings/Koller/Application Data/Free Download Manager/uploads.5.sav: Input/output error
find: /mnt/hda1/Documents and Settings/Koller/Application Data/Mozilla/Firefox/Profiles/75hk8ekd.default/localstore.rdf: Input/output error
find: /mnt/hda1/Documents and Settings/Koller/Application Data/Mozilla/Firefox/Profiles/75hk8ekd.default/sessionstore.js: Input/output error
find: /mnt/hda1/Documents and Settings/Koller/Local Settings/Temp/plugtmp-1: Input/output error
find: /mnt/hda1/Documents and Settings/Koller/Local Settings/Temp/~DF68EC.tmp: Input/output error
bt ~ #                           
Last edited by viruz on Sun Jun 07, 2009 2:03 pm, edited 1 time in total.
<<

eth3real

User avatar

Sr. Member
Sr. Member

Posts: 309

Joined: Wed Feb 27, 2008 10:35 am

Location: US

Post Tue Jun 09, 2009 8:33 am

Re: backdoor actions

It may or may not help, but you could also try running sigverif in windows to see if any of the main windows files are showing as being unsigned (which means they were modified). It might not be too helpful, but it's worth a shot. :)
Put that in your pipe and grep it!
Next

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software