Penetration Testing mailing list archives
Exploiting a Worm
From: "Ian Gizak" <iangizak () hotmail com>
Date: Mon, 12 Sep 2005 23:54:06 +0000
Hi list,I'm pentesting a client's network and I have found a Windows NT4 machine with ports 620 and 621 TCP ports open.
When I netcat this port, it returns garbage binary strings. When I connect to port 113 (auth), it replies with random USERIDs.
According to what I have found, this behaviour would mean the presence of the Agobot worm.
A full TCP scan revealed the following result: (The 29960 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 21/tcp open ftp 25/tcp open smtp 80/tcp filtered http 113/tcp open auth 135/tcp filtered msrpc 137/tcp filtered netbios-ns 139/tcp filtered netbios-ssn 443/tcp open https 445/tcp filtered microsoft-ds 465/tcp open smtps 554/tcp open rtsp 621/tcp open unknown 622/tcp open unknown 1028/tcp open unknown 1031/tcp open iad2 1036/tcp open unknown 1720/tcp filtered H.323/Q.931 1755/tcp open wms 4600/tcp open unknown 5400/tcp filtered pcduo-old 5403/tcp filtered unknown 5554/tcp filtered unknown 5800/tcp open vnc-http 5900/tcp open vnc 6999/tcp filtered unknown 8080/tcp open http-proxy 9996/tcp filtered unknown 10028/tcp filtered unknown 10806/tcp filtered unknown 12278/tcp filtered unknown 14561/tcp filtered unknown 16215/tcp filtered unknown 17076/tcp filtered unknown 18420/tcp filtered unknown 18519/tcp filtered unknown 19464/tcp filtered unknown 20738/tcp filtered unknown 25717/tcp filtered unknown 25950/tcp filtered unknown 28974/tcp filtered unknownI have checked the open ports and no-one seems to be the worm ftp server or something useful related to the worm. Some ports allow input but don't reply anything...
Does anyone knows a way to exploit this worm to get access to the system? Thanks in advance, Ian _________________________________________________________________Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
------------------------------------------------------------------------------Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Exploiting a Worm Ian Gizak (Sep 14)
- Re: Exploiting a Worm Paul Robertson (Sep 15)
- Re: Exploiting a Worm Craig Holmes (Sep 15)
- Re: Exploiting a Worm Marco Monicelli (Sep 15)
- <Possible follow-ups>
- Exploiting a Worm Ian Gizak (Sep 14)
- RE: [Full-disclosure] Exploiting a Worm Aditya Deshmukh (Sep 14)
- Re: [Full-disclosure] Exploiting a Worm Dave Dittrich (Sep 14)
- Re: [Full-disclosure] Exploiting a Worm Karma (Sep 14)
- RE: Exploiting a Worm Drage, Nick (Sep 16)