Penetration Testing mailing list archives

Re: [PEN-TEST] port 12345

From: Erik Tayler <erik () digitaloffense net>
Date: Mon, 2 Oct 2000 16:56:18 -0500

Hi Justin,

I have never seen any Novell machines with NetBus, and to the best of my
knowledge it has not been ported [however I don't keep up to date with the
porting of NetBus]. I have experienced this before, and in many instances it
just ended up to be a non-listening port that was filtered for no particular
reason. Even stranger, the port will show up every other scan. But don't
rule out NetBus. Instead of just scanning for infected machines, why not
just attempt to connect with the NetBus client?

Erik Tayler
http://www.14x.net
http://www.digitaloffense.net

-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Justin Funke
Sent: Monday, October 02, 2000 1:46 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: port 12345


Has anyone seen the Netbus trojan ported to a Novell server?

Is it possible the gateway server is forwarding the port from an
internally affected machine?

I can see the port open but filtered on a friend's network but we cannot
find why it is showing up. There is no IDS software emulating a honeypot
so something must be infected somewhere on the internal WAN. A full scan
of the internal network shows no infected machines.

Thanks,

Justin

Current thread:

[PEN-TEST] port 12345 Justin Funke (Oct 02)
- Re: [PEN-TEST] port 12345 Erik Tayler (Oct 02)
- <Possible follow-ups>
- Re: [PEN-TEST] port 12345 Tonick, Mike (Oct 02)
- Re: [PEN-TEST] port 12345 Craig, Scott (Oct 03)
- Re: [PEN-TEST] port 12345 Bowman James (Oct 03)