Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: W32/Welchia, W32/Nachi backdoor?

From: Joe Stewart <jstewart () lurhq com>
Date: Wed, 20 Aug 2003 13:49:51 -0400
On Wednesday 20 August 2003 11:20 am, Barry Irwin wrote:

creates a backdoor listening on TCP/707 or some other randomly chosen port


between TCP/666 and >TCP/765 [2]

Telnetting to this port seems to disconnected after 1-5 characters have
been entered?  This doesn't look like TFTP (port 65/tcp&UDP), and the
windows tftp client doesn't seem to offer any means of specifying a port to
connect to?

Is this some kind of password protected backdoor ?


No, it's a reverse shell. Telnet to the port and enter the following 2 lines
to see how it works:

Microsoft Windows
system32>

-Joe

-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ Corporation
http://www.lurhq.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: