Re: Mystery web server trojan(?) on Windows ME

[Chip McClure <vhm3 () hades dnsalias net>]

-----BEGIN PGP SIGNED MESSAGE-----

On Wed, 20 Jun 2001, Jeremy Anderson wrote:

I believe 4343 is an XML webserver that windows me (and only ME) uses to
communicate via some sort of IPC process regarding some internal
operations. My brief flirtation with ME saw the same ports open on my
machine as well. I read that 4343 is used for device configuration &
managment.

I went so much as to run Nessus on the box, and tried a whole slew of
buffer overflow exploits, etc against it.

> Hi folks,
>
> One of my users is running WinME at home.  He reported that he thought his
> home machine had been hacked.
>
> Running a portscan on the machine turned up the following:
>
> 10.0.0.23           unknown            135/tcp unassigned
> 10.0.0.23           netbios-ssn        139/tcp # NETBIOS session server
> 10.0.0.23         unknown            4343/tcp unassigned
>
> Attempting to telnet to port 4343 on this machine, I found what appeared
> to be a small webserver.
>
> Here are some samples:
>
> ----------------------------------------------------------
>
> GET / HTTP/1.0
>
> HTTP/1.1 400 Bad Request
>
> ----------------------------------------------------------
>
> iojgoijtgoij
>
> HTTP/1.1 400 Bad Request
>
> ----------------------------------------------------------
>
> GET / HTTP/1.0
> Connection: Keep-Alive
> User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.14-5.0smp i686)
> Host: 10.0.0.23:4343
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
> Accept-Encoding: gzip
> Accept-Language: en
> Accept-Charset: iso-8859-1
>
> HTTP/1.1 400 Bad Request
>
> ... and so on.  Not very revealing.
>
> I attempted to run inzider (http://www.ntsecurity.nu) on the machine to
> find out what was hooked up to this port (expecting a copy of Back Orifice
> or similar).  While I don't have the dump from inzider, there was no
> process attached to the server.
>
> Does this sound familiar to anyone?  I have reason to believe it's a
> stealth backdoor of some sort, but I don't have much information to go on.
>
> Thanks in advance.
>
> Jeremy Anderson                                       email: jeremy () is2inc com
> Systems Administrator                                   tel: 425/775.6495
> IS-Squared Inc.                                         fax: 425/774.8564

Chip McClure
Sr. Unix Administrator
GigGuardian, Inc

http://www.gigguardian.com/

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBOzIxyCqtlrSgJcRdAQH6HwQAimPYrwVsP274F42dUtxN7pqkBn/FgPGG
8NapV81iTzJ5sTxNSLrNw2xGAB3onMkK1NUQ8D9sIl2YFJ5KfBHnCuGrkZnBrQ+2
huOX8mt6baHWQdwAgzdOsDbTj3fkgJkW+fV6owwq0W9sBtPyMhm+vF6cLU/H2O/x
GnG3av4ErdI=
=b8XH
-----END PGP SIGNATURE-----