Full Disclosure mailing list archives

Re: Exploiting a Worm

From: Frank Knobbe <frank () knobbe us>
Date: Wed, 14 Sep 2005 11:39:06 -0500

On Tue, 2005-09-13 at 22:29 +0000, Ian Gizak wrote:

I'm pentesting a client's network and I have found a Windows NT4 machine 
with ports 620 and 621 TCP ports open.

When I netcat this port, it returns garbage binary strings. When I connect 
to port 113 (auth), it replies with random USERIDs.
[...]
I have checked the open ports and no-one seems to be the worm ftp server or 
something useful related to the worm. Some ports allow input but don't reply 
anything...


Could it be that you are buzzing around a honeypot like a moth around a
porch light? Or have to followed up with the client and can you rule it
out as a honeypot? Otherwise it's a very interesting port fingerprint
for an NT4 box :)

Cheers,
Frank

-- 
Ciscogate: Shame on Cisco. Double-Shame on ISS.

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Exploiting a Worm Ian Gizak (Sep 13)
- Re: Exploiting a Worm Nick FitzGerald (Sep 13)
- Re: Exploiting a Worm Paul Farrow (Sep 13)
  - Re: Exploiting a Worm Valdis . Kletnieks (Sep 13)
  - RE: Exploiting a Worm Lyal Collins (Sep 13)
- Re: Exploiting a Worm Ivan . (Sep 13)
- Re: Exploiting a Worm Frank Knobbe (Sep 14)
- <Possible follow-ups>
- Exploiting a Worm Ian Gizak (Sep 13)