Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

High credential intrusion-Help


  • Please log in to reply
9 replies to this topic

#1 mindbar

mindbar

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 13 February 2015 - 08:24 AM

I suspect there is a security hole in my win 7 station. I need help understanding the vulnerability window. There is atached a netstat -bano log. I mention that i'm logged as admin with highest credentials, i guess...


Edited by hamluis, 09 March 2015 - 10:08 AM.
Moved from Win 7 to Gen Security - Hamluis.


BC AdBot (Login to Remove)

 


#2 mindbar

mindbar
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 13 February 2015 - 08:26 AM

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       956
  RpcSs
 [svchost.exe]
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
 Can not obtain ownership information
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       1256
  CryptSvc
 [svchost.exe]
  TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING       4
 Can not obtain ownership information
  TCP    0.0.0.0:41380          0.0.0.0:0              LISTENING       1600
 [CnxDIAS.exe]
  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING       1276
 [sqlservr.exe]
  TCP    0.0.0.0:50000          0.0.0.0:0              LISTENING       644
 [wininit.exe]
  TCP    0.0.0.0:50001          0.0.0.0:0              LISTENING       752
 [lsass.exe]
  TCP    0.0.0.0:50002          0.0.0.0:0              LISTENING       556
  eventlog
 [svchost.exe]
  TCP    0.0.0.0:50003          0.0.0.0:0              LISTENING       896
  Schedule
 [svchost.exe]
  TCP    0.0.0.0:50004          0.0.0.0:0              LISTENING       1392
 [spoolsv.exe]
  TCP    0.0.0.0:50005          0.0.0.0:0              LISTENING       704
 [services.exe]
  TCP    0.0.0.0:50006          0.0.0.0:0              LISTENING       2860
  PolicyAgent
 [svchost.exe]
  TCP    192.168.10.180:139     0.0.0.0:0              LISTENING       4
 Can not obtain ownership information
  TCP    192.168.10.180:57320   192.168.10.1:8080      TIME_WAIT       0
  TCP    192.168.10.180:57321   192.168.10.1:8080      TIME_WAIT       0
  TCP    192.168.10.180:57322   192.168.10.1:8080      TIME_WAIT       0
  TCP    192.168.10.180:57323   192.168.10.1:8080      TIME_WAIT       0
  TCP    192.168.10.180:57324   192.168.10.1:8080      TIME_WAIT       0
  TCP    192.168.10.180:57325   192.168.10.1:8080      TIME_WAIT       0
  TCP    192.168.10.180:57326   192.168.10.1:8080      TIME_WAIT       0
  TCP    192.168.10.180:57328   192.168.10.253:7072    TIME_WAIT       0
  TCP    192.168.10.180:57331   192.168.10.1:8080      TIME_WAIT       0
  TCP    192.168.10.180:57332   192.168.10.1:8080      TIME_WAIT       0
  TCP    192.168.10.180:57333   192.168.10.1:8080      TIME_WAIT       0
  TCP    192.168.10.180:57334   192.168.10.1:8080      TIME_WAIT       0
  TCP    192.168.10.180:57335   192.168.10.1:8080      TIME_WAIT       0
  TCP    192.168.10.180:57336   192.168.10.1:8080      TIME_WAIT       0
  TCP    192.168.10.180:57337   192.168.10.1:8080      TIME_WAIT       0
  TCP    192.168.10.180:57338   192.168.10.1:8080      TIME_WAIT       0
  TCP    192.168.10.180:57339   192.168.10.1:8080      TIME_WAIT       0
  TCP    192.168.10.180:57340   192.168.10.1:8080      TIME_WAIT       0
  TCP    192.168.10.180:57341   192.168.10.1:8080      TIME_WAIT       0
  TCP    192.168.10.180:57342   192.168.10.1:8080      TIME_WAIT       0
  TCP    192.168.10.180:57343   192.168.10.1:8080      TIME_WAIT       0
  TCP    192.168.10.180:57344   192.168.10.1:8080      TIME_WAIT       0
  TCP    192.168.10.180:57345   192.168.10.1:8080      TIME_WAIT       0
  TCP    192.168.10.180:57346   192.168.10.1:8080      TIME_WAIT       0
  TCP    192.168.10.180:57347   192.168.10.1:8080      TIME_WAIT       0
  TCP    [::]:135               [::]:0                 LISTENING       956
  RpcSs
 [svchost.exe]
  TCP    [::]:445               [::]:0                 LISTENING       4
 Can not obtain ownership information
  TCP    [::]:3389              [::]:0                 LISTENING       1256
  CryptSvc
 [svchost.exe]
  TCP    [::]:5357              [::]:0                 LISTENING       4
 Can not obtain ownership information
  TCP    [::]:41380             [::]:0                 LISTENING       1600
 [CnxDIAS.exe]
  TCP    [::]:49154             [::]:0                 LISTENING       1276
 [sqlservr.exe]
  TCP    [::]:50000             [::]:0                 LISTENING       644
 [wininit.exe]
  TCP    [::]:50001             [::]:0                 LISTENING       752
 [lsass.exe]
  TCP    [::]:50002             [::]:0                 LISTENING       556
  eventlog
 [svchost.exe]
  TCP    [::]:50003             [::]:0                 LISTENING       896
  Schedule
 [svchost.exe]
  TCP    [::]:50004             [::]:0                 LISTENING       1392
 [spoolsv.exe]
  TCP    [::]:50005             [::]:0                 LISTENING       704
 [services.exe]
  TCP    [::]:50006             [::]:0                 LISTENING       2860
  PolicyAgent
 [svchost.exe]
  TCP    [::1]:49152            [::]:0                 LISTENING       1928
 [jhi_service.exe]
  UDP    0.0.0.0:123            *:*                                    692
  W32Time
 [svchost.exe]
  UDP    0.0.0.0:500            *:*                                    896
  IKEEXT
 [svchost.exe]
  UDP    0.0.0.0:1434           *:*                                    2084
 [sqlbrowser.exe]
  UDP    0.0.0.0:3702           *:*                                    1656
  FDResPub
 [svchost.exe]
  UDP    0.0.0.0:3702           *:*                                    1656
  FDResPub
 [svchost.exe]
  UDP    0.0.0.0:4500           *:*                                    896
  IKEEXT
 [svchost.exe]
  UDP    0.0.0.0:49152          *:*                                    1656
  FDResPub
 [svchost.exe]
  UDP    0.0.0.0:49154          *:*                                    1392
 [spoolsv.exe]
  UDP    127.0.0.1:1900         *:*                                    1656
  SSDPSRV
 [svchost.exe]
  UDP    127.0.0.1:52950        *:*                                    1656
  SSDPSRV
 [svchost.exe]
  UDP    192.168.10.180:137     *:*                                    4
 Can not obtain ownership information
  UDP    192.168.10.180:138     *:*                                    4
 Can not obtain ownership information
  UDP    192.168.10.180:1900    *:*                                    1656
  SSDPSRV
 [svchost.exe]
  UDP    192.168.10.180:52949   *:*                                    1656
  SSDPSRV
 [svchost.exe]
  UDP    [::]:123               *:*                                    692
  W32Time
 [svchost.exe]
  UDP    [::]:500               *:*                                    896
  IKEEXT
 [svchost.exe]
  UDP    [::]:1434              *:*                                    2084
 [sqlbrowser.exe]
  UDP    [::]:3702              *:*                                    1656
  FDResPub
 [svchost.exe]
  UDP    [::]:3702              *:*                                    1656
  FDResPub
 [svchost.exe]
  UDP    [::]:4500              *:*                                    896
  IKEEXT
 [svchost.exe]
  UDP    [::]:49153             *:*                                    1656
  FDResPub
 [svchost.exe]
  UDP    [::1]:1900             *:*                                    1656
  SSDPSRV
 [svchost.exe]
  UDP    [::1]:52948            *:*                                    1656
  SSDPSRV
 [svchost.exe]
  UDP    [fe80::3c83:764f:a3c:d1b3%11]:1900  *:*                                    1656
  SSDPSRV
 [svchost.exe]
  UDP    [fe80::3c83:764f:a3c:d1b3%11]:52947  *:*                                    1656
  SSDPSRV
 [svchost.exe]
 



#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,767 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:39 PM

Posted 13 February 2015 - 09:01 AM

Hi,

what makes you believe that you've been compromised?

regards
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 mindbar

mindbar
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 20 February 2015 - 07:46 AM

I loos control over mouse pointer and scrol for extra short periods of time. I tested the mouse on orher systems and it's works fine. Also happends strange thinks(my printer settings have been modified). and so on.



#5 mindbar

mindbar
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 20 February 2015 - 07:54 AM

Also in the preuvious post  it can be seen this message Can not obtain ownership information in netstat result, and that is strange to me because im logged as admin with no sec restriction. Also there are some unexplained UDP scans on my machine. If there is some that can hepl me understand what is hapening...



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,537 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:39 AM

Posted 20 February 2015 - 08:29 AM

Hi mindbar :)

Can you try opening the command prompt with Admin Rights (right-click on it and select Run as Administrator, then run the netstat -ano command? Also, the IP address is "local", which means that it's an IP address attributed to a device on your own network. Do you know which one it is?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,767 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:39 PM

Posted 20 February 2015 - 08:49 AM

Hi,

the administrator account is not the most powerful account on your machine. The "System" accoutn and the "trustedinstaller" are more powerful, but are accounts you can not log into or use. This is by design to make the system more secure.

The PID 4 belongs to the system account on all windows machines (always). Therefore it is not surprising that you can not access all information about them as administrator. So the "can not obtain ownership" is normal since they have a PID of 4.

The mouse problem might also come from a corrupted usb driver (assuming it's on a usb connection).

regards
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 mindbar

mindbar
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 09 March 2015 - 03:48 AM

To Aura:

That netstat was runned trough admin acount. And yes i know the machine is in a local network.

To myrti:

i know that system  and trustedinstaller are accounts with higher credentials, but there is the problem meaning that this acounts are vulnerable, and sombody is using them to contact the machine. Now the troubble is finding out hwo is. I have some evidence on conections over DCOM -there are several application builded there that not suposed to be. there where also some kerberos conections onthat machine but i can't track the souce.



#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:39 PM

Posted 09 March 2015 - 12:23 PM

Also in the preuvious post  it can be seen this message Can not obtain ownership information in netstat result, and that is strange to me because im logged as admin with no sec restriction.

 

That is normal for PID 4. I also see that on other systems.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:39 PM

Posted 09 March 2015 - 12:24 PM

 Also there are some unexplained UDP scans on my machine. If there is some that can hepl me understand what is hapening...

 

How did you detect UDP scans?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users