From: Jordan Del-Grande (jordan.delgrande@gmail.com)
Date: Thu Jul 21 2005 - 15:24:10 EDT
Hey,
The first thing i would do is run nessus on the port to check and see
it ain't no backdoor such as "hacker defender". I've seen that a lot
lately.
Next, ask the client if you are allowed access to the box as a local
administrator. I would have all your tools burnt to CD/DVD and then
begin mapping the service to the exe using tools like netstat -an,
psservice.exe, pstat.exe, etc...
Note: Do not trust the shit on that box.
I am sure there are some some guys on the list who perform mostly host
based review or forensic work and can help you out with some
additional tools.
Hope this helps,
Jordan
Hello,
During a recent pen-test, I discovered that port 80 is opened by an
unknown application on multiple client workstations (WinXP). No web
server appears to be running or installed - I've tested a few things,
but I'm curious what the list thinks is the best next-step to take.
Thanks,
Golden Earring
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:37 EDT