Full Disclosure mailing list archives
Re: Exploiting a Worm
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 14 Sep 2005 10:54:47 +1200
Ian Gizak wrote:
I'm pentesting a client's network and I have found a Windows NT4 machine with ports 620 and 621 TCP ports open. When I netcat this port, it returns garbage binary strings. When I connect to port 113 (auth), it replies with random USERIDs. According to what I have found, this behaviour would mean the presence of the Agobot worm.
That is too limited a set of observations to draw that conclusion for sure. After all, the source of various variants of various forks of most of the vaguely "popular" bots is available (which is largely why those bots are "popular"), so could easily have been partially copied in making a "new" bot (and we see a lot of evidence suggesting that this happens often). Likewise, some "key features" of any given mainstream bot are equally likely to have been derived from other, pre- existing "publicly" available code...
A full TCP scan revealed the following result:
<<snip>>
I have checked the open ports and no-one seems to be the worm ftp server or something useful related to the worm. Some ports allow input but don't reply anything... Does anyone knows a way to exploit this worm to get access to the system?
Well, that will depend on precisely what variant of what code you have listening on those ports, and even on what compiler and options the binary was built with AND the precise CPU architecture, OS and configuration options the code is running on. Of course, if you can get a sample of the binary off the machine, you can reverse it and work out those answers for yourself, but I doubt anyone here can divine them for you, from this distance... ... I take it the VNC ports didn't prove useful? VNC is often installed by malware, with trivial ("qwerty", "1234", "admin", "root", etc, even null) access passwords... Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Exploiting a Worm Ian Gizak (Sep 13)
- Re: Exploiting a Worm Nick FitzGerald (Sep 13)
- Re: Exploiting a Worm Paul Farrow (Sep 13)
- Re: Exploiting a Worm Valdis . Kletnieks (Sep 13)
- RE: Exploiting a Worm Lyal Collins (Sep 13)
- Re: Exploiting a Worm Ivan . (Sep 13)
- Re: Exploiting a Worm Frank Knobbe (Sep 14)
- <Possible follow-ups>
- Exploiting a Worm Ian Gizak (Sep 13)