Penetration Testing mailing list archives
Re: Exploiting a Worm
From: Marco Monicelli <marco.monicelli () marcegaglia com>
Date: 15-Sep-2005 08:47:12 CEDT
Well, if I'm not wrong, the proper client will send the proper string to the proper open port and this will results in a prompt shell. The fact that it doesn't behave like a normal Agobot could mean that it is a variant and that would explain the fact that it has not been recognize by the AV (I suppose you have an AV software on that NT machine). I would try to search on the pc some of the files of Agobot and in case you find anything....do a backup of sensible data and format the computer. Always the best cleaning solution according to me. Just my 2 cents Marco Hi list, I'm pentesting a client's network and I have found a Windows NT4 machine with ports 620 and 621 TCP ports open. When I netcat this port, it returns garbage binary strings. When I connect to port 113 (auth), it replies with random USERIDs. According to what I have found, this behaviour would mean the presence of the Agobot worm. A full TCP scan revealed the following result: (The 29960 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 21/tcp open ftp 25/tcp open smtp 80/tcp filtered http 113/tcp open auth 135/tcp filtered msrpc 137/tcp filtered netbios-ns 139/tcp filtered netbios-ssn 443/tcp open https 445/tcp filtered microsoft-ds 465/tcp open smtps 554/tcp open rtsp 621/tcp open unknown 622/tcp open unknown 1028/tcp open unknown 1031/tcp open iad2 1036/tcp open unknown 1720/tcp filtered H.323/Q.931 1755/tcp open wms 4600/tcp open unknown 5400/tcp filtered pcduo-old 5403/tcp filtered unknown 5554/tcp filtered unknown 5800/tcp open vnc-http 5900/tcp open vnc 6999/tcp filtered unknown 8080/tcp open http-proxy 9996/tcp filtered unknown 10028/tcp filtered unknown 10806/tcp filtered unknown 12278/tcp filtered unknown 14561/tcp filtered unknown 16215/tcp filtered unknown 17076/tcp filtered unknown 18420/tcp filtered unknown 18519/tcp filtered unknown 19464/tcp filtered unknown 20738/tcp filtered unknown 25717/tcp filtered unknown 25950/tcp filtered unknown 28974/tcp filtered unknown I have checked the open ports and no-one seems to be the worm ftp server or something useful related to the worm. Some ports allow input but don't reply anything... Does anyone knows a way to exploit this worm to get access to the system? Thanks in advance, Ian _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------------- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Exploiting a Worm Ian Gizak (Sep 14)
- Re: Exploiting a Worm Paul Robertson (Sep 15)
- Re: Exploiting a Worm Craig Holmes (Sep 15)
- Re: Exploiting a Worm Marco Monicelli (Sep 15)
- <Possible follow-ups>
- Exploiting a Worm Ian Gizak (Sep 14)
- RE: [Full-disclosure] Exploiting a Worm Aditya Deshmukh (Sep 14)
- Re: [Full-disclosure] Exploiting a Worm Dave Dittrich (Sep 14)
- Re: [Full-disclosure] Exploiting a Worm Karma (Sep 14)
- RE: Exploiting a Worm Drage, Nick (Sep 16)