Full Disclosure mailing list archives
Exploiting a Worm
From: "Ian Gizak" <iangizak () hotmail com>
Date: Tue, 13 Sep 2005 22:29:19 +0000
Hi list,I'm pentesting a client's network and I have found a Windows NT4 machine with ports 620 and 621 TCP ports open.
When I netcat this port, it returns garbage binary strings. When I connect to port 113 (auth), it replies with random USERIDs.
According to what I have found, this behaviour would mean the presence of the Agobot worm.
A full TCP scan revealed the following result: (The 29960 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 21/tcp open ftp 25/tcp open smtp 80/tcp filtered http 113/tcp open auth 135/tcp filtered msrpc 137/tcp filtered netbios-ns 139/tcp filtered netbios-ssn 443/tcp open https 445/tcp filtered microsoft-ds 465/tcp open smtps 554/tcp open rtsp 621/tcp open unknown 622/tcp open unknown 1028/tcp open unknown 1031/tcp open iad2 1036/tcp open unknown 1720/tcp filtered H.323/Q.931 1755/tcp open wms 4600/tcp open unknown 5400/tcp filtered pcduo-old 5403/tcp filtered unknown 5554/tcp filtered unknown 5800/tcp open vnc-http 5900/tcp open vnc 6999/tcp filtered unknown 8080/tcp open http-proxy 9996/tcp filtered unknown 10028/tcp filtered unknown 10806/tcp filtered unknown 12278/tcp filtered unknown 14561/tcp filtered unknown 16215/tcp filtered unknown 17076/tcp filtered unknown 18420/tcp filtered unknown 18519/tcp filtered unknown 19464/tcp filtered unknown 20738/tcp filtered unknown 25717/tcp filtered unknown 25950/tcp filtered unknown 28974/tcp filtered unknownI have checked the open ports and no-one seems to be the worm ftp server or something useful related to the worm. Some ports allow input but don't reply anything...
Does anyone knows a way to exploit this worm to get access to the system? Thanks in advance, Ian _________________________________________________________________Don't just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Exploiting a Worm Ian Gizak (Sep 13)
- Re: Exploiting a Worm Nick FitzGerald (Sep 13)
- Re: Exploiting a Worm Paul Farrow (Sep 13)
- Re: Exploiting a Worm Valdis . Kletnieks (Sep 13)
- RE: Exploiting a Worm Lyal Collins (Sep 13)
- Re: Exploiting a Worm Ivan . (Sep 13)
- Re: Exploiting a Worm Frank Knobbe (Sep 14)
- <Possible follow-ups>
- Exploiting a Worm Ian Gizak (Sep 13)