Open Source Security Tools : Practical Guide to Security Applications part 39. Few frontline system administrators can afford to spend all day worrying about security. But in this age of widespread virus infections, worms, and digital attacks, no one can afford to neglect network defenses. Written with the harried IT manager in mind, Open Source Security Tools is a practical, hands-on introduction to open source security tools. | Page 359 Friday June 25 2004 12 33 AM Forensic Analysis Tools 359 4072 WCESMgr - 999 TCP C Program Files Microsoft ActiveSync 1032 svchost - 1025 TCP C WINDOWS System32 1032 svchost - 1031 TCP C WINDOWS System32 1032 svchost - 1034 TCP C WINDOWS System32 4 System - 1042 TCP 4072 WCESMgr - 2406 TCP C Program Files Microsoft ActiveSync 2384 websearch - 3008 TCP C Program Files websearch 1144 - 54321 TCP C Temp 4072 WCESMgr - 5678 TCP C Program Files Microsoft ActiveSync 2384 websearch - 8755 TCP C Program Files websearch TÎl 136 javaw - 8765 TCP C WINDOWS System3 2 1348 WCESCOMM - 123 UDP C Program Files Microsoft ActiveSync 2384 websearch - 123 UDP C Program Files websearch 940 svchost - 135 UDP C WINDOWS system32 1144 - 137 UDP 1032 svchost - 1026 UDP C WINDOWS System32 By looking at this listing you can see what appear to be normal services and programs running until about half way down where you can see that is running from the temp directory. This is the command prompt binary and it has no business being in a temp directory. Also the fact that the service has no name should arouse suspicion. Finally the incoming port number doesn t match any known services. In fact if you look it up in a database of known Trojan horses on the Internet trojans Page 360 Friday June 25 2004 12 33 AM 360 Table Fport Sorting Options Chapter 11 Forensic Tools Options Descriptions -a Sorts the output by application name. -ap Sorts the output by application path. -i Sorts the output by Process ID PID . -p Sorts the output by port. it matches the port number of a documented Trojan horse. There is strong evidence that this system has been exploited. At this point you have to decide if it is worth taking the system down to do further forensic .