Security Incidents mailing list archives
Re: Mystery web server trojan(?) on Windows ME
From: Chip McClure <vhm3 () hades dnsalias net>
Date: Thu, 21 Jun 2001 10:41:23 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE----- On Wed, 20 Jun 2001, Jeremy Anderson wrote: I believe 4343 is an XML webserver that windows me (and only ME) uses to communicate via some sort of IPC process regarding some internal operations. My brief flirtation with ME saw the same ports open on my machine as well. I read that 4343 is used for device configuration & managment. I went so much as to run Nessus on the box, and tried a whole slew of buffer overflow exploits, etc against it.
Hi folks, One of my users is running WinME at home. He reported that he thought his home machine had been hacked. Running a portscan on the machine turned up the following: 10.0.0.23 unknown 135/tcp unassigned 10.0.0.23 netbios-ssn 139/tcp # NETBIOS session server 10.0.0.23 unknown 4343/tcp unassigned Attempting to telnet to port 4343 on this machine, I found what appeared to be a small webserver. Here are some samples: ---------------------------------------------------------- GET / HTTP/1.0 HTTP/1.1 400 Bad Request ---------------------------------------------------------- iojgoijtgoij HTTP/1.1 400 Bad Request ---------------------------------------------------------- GET / HTTP/1.0 Connection: Keep-Alive User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.14-5.0smp i686) Host: 10.0.0.23:4343 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Encoding: gzip Accept-Language: en Accept-Charset: iso-8859-1 HTTP/1.1 400 Bad Request ... and so on. Not very revealing. I attempted to run inzider (http://www.ntsecurity.nu) on the machine to find out what was hooked up to this port (expecting a copy of Back Orifice or similar). While I don't have the dump from inzider, there was no process attached to the server. Does this sound familiar to anyone? I have reason to believe it's a stealth backdoor of some sort, but I don't have much information to go on. Thanks in advance. Jeremy Anderson email: jeremy () is2inc com Systems Administrator tel: 425/775.6495 IS-Squared Inc. fax: 425/774.8564
Chip McClure Sr. Unix Administrator GigGuardian, Inc http://www.gigguardian.com/ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBOzIxyCqtlrSgJcRdAQH6HwQAimPYrwVsP274F42dUtxN7pqkBn/FgPGG 8NapV81iTzJ5sTxNSLrNw2xGAB3onMkK1NUQ8D9sIl2YFJ5KfBHnCuGrkZnBrQ+2 huOX8mt6baHWQdwAgzdOsDbTj3fkgJkW+fV6owwq0W9sBtPyMhm+vF6cLU/H2O/x GnG3av4ErdI= =b8XH -----END PGP SIGNATURE-----
Current thread:
- Mystery web server trojan(?) on Windows ME Jeremy Anderson (Jun 21)
- Re: Mystery web server trojan(?) on Windows ME Chip McClure (Jun 22)
- <Possible follow-ups>
- RE: Mystery web server trojan(?) on Windows ME Vachon, Scott (Jun 24)