Re: FW: Port 4662 exploitation

[Todd Haverkos <infosec () haverkos com>]

"lgpmsec" <lgpmsec () gmail com> writes:
> Hi again all,
>
> Please find below the nmap results for the specific server, and let me know
> if it adds value:
>
> bt ~ # nmap -sT -vv x.x.x.120
>
> Starting Nmap 4.60 ( http://nmap.org ) at 2008-12-15 15:04 GMT

> Completed SYN Stealth Scan at 16:05, 3639.22s elapsed (1715 total ports)
> Host x.y.com (x.x.x.120) appears to be up ... good.
> Interesting ports on x.y.com (x.x.x.120):
> Not shown: 1611 filtered ports, 55 closed ports
> PORT     STATE SERVICE
...
> 17/tcp   open  qotd
> 4662/tcp open  edonkey
....
> I also telneted to the 4662 port, getting:
>
> bt ~ # telnet x.x.x.120 4662
> Trying x.x.x.120...
> Connected to x.x.x.120.
> Escape character is '^]'.
> whoami
>
> ^QConnection closed by foreign host.
>
> Please advise on how to proceed


You've manually confirmed nmap's results that there is _something_
listening there.  Instead of telnet, I prefer nc -v x.x.x120 4662 to
get a connection confirmation in netcat's verbose output.

One usual thing to do is to hit those open ports with a -sV version
scan.  If you'd like to see what nmap is doing in trying to divine its
version detection, you can scan just that port and look at the version
trace for ideas on how to do such manual futzing in the future:

nmap --version_trace -P0 -n -v -v -sV -p 4662 x.x.x.120 


The scan you performed does no service fingerprinting (-sV) specified,
so nmap is just showing what /etc/services has for the port number in
question, which for ports off the beaten path is often wrong or
misleading. 

Regards, 
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------