Full Disclosure mailing list archives
Re: W32/Welchia, W32/Nachi backdoor?
From: Joe Stewart <jstewart () lurhq com>
Date: Wed, 20 Aug 2003 13:49:51 -0400
On Wednesday 20 August 2003 11:20 am, Barry Irwin wrote:
creates a backdoor listening on TCP/707 or some other randomly chosen portbetween TCP/666 and >TCP/765 [2] Telnetting to this port seems to disconnected after 1-5 characters have been entered? This doesn't look like TFTP (port 65/tcp&UDP), and the windows tftp client doesn't seem to offer any means of specifying a port to connect to? Is this some kind of password protected backdoor ?
No, it's a reverse shell. Telnet to the port and enter the following 2 lines to see how it works: Microsoft Windows system32> -Joe -- Joe Stewart, GCIH Senior Security Researcher LURHQ Corporation http://www.lurhq.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: W32/Welchia, W32/Nachi backdoor? Joe Stewart (Sep 10)