RE: Exploiting a Worm

["Lyal Collins" <lyal.collins () key2it com au>]

If you get a packet capture, run it through an IDS platform with current
alert signatures, and see if it alerts on any traffic.
Or analyse outbound traffic destination from the machine - if traffic exits,
or trys to exit the company boundaries without valid reason, then it's not
good practice and should be cleaned up. 
Something that can work is adopting a message something like 'Because we
don't know what damage to the company is occuring, and don't have
time/resources to find out, we recommend that we <insert positive action
here> to prevent further damage' - YMMV

Lyal


-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Paul Farrow
Sent: Wednesday, 14 September 2005 9:01 AM
Cc: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] Exploiting a Worm


Another thing you could do is install an anti-virus app or by some other 
means identify the worm that is active and possibly get a variant 
version id.
Find out how the worm installs itself, reverse engineer it, and remove it.

If youre interested in whats actually happening, install something like 
etherreal win32 (will need libpcap) and listen to all the traffic for a 
while.

Hope Ive thrown some ideas out there...


Leetrifically,
  flame

Ian Gizak wrote:

> Hi list,
>
> I'm pentesting a client's network and I have found a Windows NT4
> machine with ports 620 and 621 TCP ports open.
>
> When I netcat this port, it returns garbage binary strings. When I
> connect to port 113 (auth), it replies with random USERIDs.
>
> According to what I have found, this behaviour would mean the presence
> of the Agobot worm.
>
> A full TCP scan revealed the following result:
>
> (The 29960 ports scanned but not shown below are in state: closed)
> PORT      STATE    SERVICE
> 21/tcp    open     ftp
> 25/tcp    open     smtp
> 80/tcp    filtered http
> 113/tcp   open     auth
> 135/tcp   filtered msrpc
> 137/tcp   filtered netbios-ns
> 139/tcp   filtered netbios-ssn
> 443/tcp   open     https
> 445/tcp   filtered microsoft-ds
> 465/tcp   open     smtps
> 554/tcp   open     rtsp
> 621/tcp   open     unknown
> 622/tcp   open     unknown
> 1028/tcp  open     unknown
> 1031/tcp  open     iad2
> 1036/tcp  open     unknown
> 1720/tcp  filtered H.323/Q.931
> 1755/tcp  open     wms
> 4600/tcp  open     unknown
> 5400/tcp  filtered pcduo-old
> 5403/tcp  filtered unknown
> 5554/tcp  filtered unknown
> 5800/tcp  open     vnc-http
> 5900/tcp  open     vnc
> 6999/tcp  filtered unknown
> 8080/tcp  open     http-proxy
> 9996/tcp  filtered unknown
> 10028/tcp filtered unknown
> 10806/tcp filtered unknown
> 12278/tcp filtered unknown
> 14561/tcp filtered unknown
> 16215/tcp filtered unknown
> 17076/tcp filtered unknown
> 18420/tcp filtered unknown
> 18519/tcp filtered unknown
> 19464/tcp filtered unknown
> 20738/tcp filtered unknown
> 25717/tcp filtered unknown
> 25950/tcp filtered unknown
> 28974/tcp filtered unknown
>
> I have checked the open ports and no-one seems to be the worm ftp
> server or something useful related to the worm. Some ports allow input 
> but don't reply anything...
>
> Does anyone knows a way to exploit this worm to get access to the 
> system?
>
> Thanks in advance,
> Ian
>
> _________________________________________________________________
> Don't just search. Find. Check out the new MSN Search!
> http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/