Re: Wierd non-http port 80 daemon?

[Thomas Kerbl <t.kerbl () weigl de>]

Dani Wuck wrote:

> [SNIP]
> #1. If you connect to it, it waits for remote input.
> #2. It accepts a certain number of chars before it closes the connection.
> #3. If you immediately send the max. number of chars, (or more) the 
> connection is closed at once.
> #4. You can send five times an 'a', and then get disconnected.
> #5. If you'd send 'abc', you'll get disconnected after < 5 times 
> (usually 3 or 2)
> #6. Every time you send something, (except doing #3) it returns some 
> ASCII that seems to be different everytime. (even if you keep sending 
> the same)

Hard to tell what it is exactly, but this behaviour seems like a 
challenge/response procedure to me... with the rigth algorithm you can 
calculate the answer to the "random" ASCII code it returns...

> So .. what do you think I'm looking at? A trojan or something?
> Guessing on its open ports I believe it's a WinME OEM, Win2000 or 
> (probably) WinXP box. (UPNP enabled)
>
> I'm eager to notify its user, but I first really want to know what that 
> port 80 deamon is :)

it's just a wild guess, but if you cannot figure out any pattern in the 
returned ASCII, I would bet on a challenge/response authentification 
System...

*hth*
Thomas Kerbl


---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------