Full Disclosure mailing list archives
RE: Exploiting a Worm
From: "Lyal Collins" <lyal.collins () key2it com au>
Date: Wed, 14 Sep 2005 09:26:37 +1000
If you get a packet capture, run it through an IDS platform with current alert signatures, and see if it alerts on any traffic. Or analyse outbound traffic destination from the machine - if traffic exits, or trys to exit the company boundaries without valid reason, then it's not good practice and should be cleaned up. Something that can work is adopting a message something like 'Because we don't know what damage to the company is occuring, and don't have time/resources to find out, we recommend that we <insert positive action here> to prevent further damage' - YMMV Lyal -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Paul Farrow Sent: Wednesday, 14 September 2005 9:01 AM Cc: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] Exploiting a Worm Another thing you could do is install an anti-virus app or by some other means identify the worm that is active and possibly get a variant version id. Find out how the worm installs itself, reverse engineer it, and remove it. If youre interested in whats actually happening, install something like etherreal win32 (will need libpcap) and listen to all the traffic for a while. Hope Ive thrown some ideas out there... Leetrifically, flame Ian Gizak wrote:
Hi list, I'm pentesting a client's network and I have found a Windows NT4 machine with ports 620 and 621 TCP ports open. When I netcat this port, it returns garbage binary strings. When I connect to port 113 (auth), it replies with random USERIDs. According to what I have found, this behaviour would mean the presence of the Agobot worm. A full TCP scan revealed the following result: (The 29960 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 21/tcp open ftp 25/tcp open smtp 80/tcp filtered http 113/tcp open auth 135/tcp filtered msrpc 137/tcp filtered netbios-ns 139/tcp filtered netbios-ssn 443/tcp open https 445/tcp filtered microsoft-ds 465/tcp open smtps 554/tcp open rtsp 621/tcp open unknown 622/tcp open unknown 1028/tcp open unknown 1031/tcp open iad2 1036/tcp open unknown 1720/tcp filtered H.323/Q.931 1755/tcp open wms 4600/tcp open unknown 5400/tcp filtered pcduo-old 5403/tcp filtered unknown 5554/tcp filtered unknown 5800/tcp open vnc-http 5900/tcp open vnc 6999/tcp filtered unknown 8080/tcp open http-proxy 9996/tcp filtered unknown 10028/tcp filtered unknown 10806/tcp filtered unknown 12278/tcp filtered unknown 14561/tcp filtered unknown 16215/tcp filtered unknown 17076/tcp filtered unknown 18420/tcp filtered unknown 18519/tcp filtered unknown 19464/tcp filtered unknown 20738/tcp filtered unknown 25717/tcp filtered unknown 25950/tcp filtered unknown 28974/tcp filtered unknown I have checked the open ports and no-one seems to be the worm ftp server or something useful related to the worm. Some ports allow input but don't reply anything... Does anyone knows a way to exploit this worm to get access to the system? Thanks in advance, Ian _________________________________________________________________ Don't just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Exploiting a Worm Ian Gizak (Sep 13)
- Re: Exploiting a Worm Nick FitzGerald (Sep 13)
- Re: Exploiting a Worm Paul Farrow (Sep 13)
- Re: Exploiting a Worm Valdis . Kletnieks (Sep 13)
- RE: Exploiting a Worm Lyal Collins (Sep 13)
- Re: Exploiting a Worm Ivan . (Sep 13)
- Re: Exploiting a Worm Frank Knobbe (Sep 14)
- <Possible follow-ups>
- Exploiting a Worm Ian Gizak (Sep 13)