Full Disclosure mailing list archives
Re: Exploiting a Worm
From: Frank Knobbe <frank () knobbe us>
Date: Wed, 14 Sep 2005 11:39:06 -0500
On Tue, 2005-09-13 at 22:29 +0000, Ian Gizak wrote:
I'm pentesting a client's network and I have found a Windows NT4 machine with ports 620 and 621 TCP ports open. When I netcat this port, it returns garbage binary strings. When I connect to port 113 (auth), it replies with random USERIDs. [...] I have checked the open ports and no-one seems to be the worm ftp server or something useful related to the worm. Some ports allow input but don't reply anything...
Could it be that you are buzzing around a honeypot like a moth around a porch light? Or have to followed up with the client and can you rule it out as a honeypot? Otherwise it's a very interesting port fingerprint for an NT4 box :) Cheers, Frank -- Ciscogate: Shame on Cisco. Double-Shame on ISS.
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Exploiting a Worm Ian Gizak (Sep 13)
- Re: Exploiting a Worm Nick FitzGerald (Sep 13)
- Re: Exploiting a Worm Paul Farrow (Sep 13)
- Re: Exploiting a Worm Valdis . Kletnieks (Sep 13)
- RE: Exploiting a Worm Lyal Collins (Sep 13)
- Re: Exploiting a Worm Ivan . (Sep 13)
- Re: Exploiting a Worm Frank Knobbe (Sep 14)
- <Possible follow-ups>
- Exploiting a Worm Ian Gizak (Sep 13)