Full Disclosure mailing list archives
Re: Exploiting a Worm
From: Paul Farrow <augm58 () dsl pipex com>
Date: Wed, 14 Sep 2005 00:01:17 +0100
Another thing you could do is install an anti-virus app or by some other means identify the worm that is active and possibly get a variant version id.
Find out how the worm installs itself, reverse engineer it, and remove it.If youre interested in whats actually happening, install something like etherreal win32 (will need libpcap) and listen to all the traffic for a while.
Hope Ive thrown some ideas out there... Leetrifically, flame Ian Gizak wrote:
Hi list,I'm pentesting a client's network and I have found a Windows NT4 machine with ports 620 and 621 TCP ports open.When I netcat this port, it returns garbage binary strings. When I connect to port 113 (auth), it replies with random USERIDs.According to what I have found, this behaviour would mean the presence of the Agobot worm.A full TCP scan revealed the following result: (The 29960 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 21/tcp open ftp 25/tcp open smtp 80/tcp filtered http 113/tcp open auth 135/tcp filtered msrpc 137/tcp filtered netbios-ns 139/tcp filtered netbios-ssn 443/tcp open https 445/tcp filtered microsoft-ds 465/tcp open smtps 554/tcp open rtsp 621/tcp open unknown 622/tcp open unknown 1028/tcp open unknown 1031/tcp open iad2 1036/tcp open unknown 1720/tcp filtered H.323/Q.931 1755/tcp open wms 4600/tcp open unknown 5400/tcp filtered pcduo-old 5403/tcp filtered unknown 5554/tcp filtered unknown 5800/tcp open vnc-http 5900/tcp open vnc 6999/tcp filtered unknown 8080/tcp open http-proxy 9996/tcp filtered unknown 10028/tcp filtered unknown 10806/tcp filtered unknown 12278/tcp filtered unknown 14561/tcp filtered unknown 16215/tcp filtered unknown 17076/tcp filtered unknown 18420/tcp filtered unknown 18519/tcp filtered unknown 19464/tcp filtered unknown 20738/tcp filtered unknown 25717/tcp filtered unknown 25950/tcp filtered unknown 28974/tcp filtered unknownI have checked the open ports and no-one seems to be the worm ftp server or something useful related to the worm. Some ports allow input but don't reply anything...Does anyone knows a way to exploit this worm to get access to the system? Thanks in advance, Ian _________________________________________________________________Don't just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Exploiting a Worm Ian Gizak (Sep 13)
- Re: Exploiting a Worm Nick FitzGerald (Sep 13)
- Re: Exploiting a Worm Paul Farrow (Sep 13)
- Re: Exploiting a Worm Valdis . Kletnieks (Sep 13)
- RE: Exploiting a Worm Lyal Collins (Sep 13)
- Re: Exploiting a Worm Ivan . (Sep 13)
- Re: Exploiting a Worm Frank Knobbe (Sep 14)
- <Possible follow-ups>
- Exploiting a Worm Ian Gizak (Sep 13)