lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue Sep 13 23:55:02 2005
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Exploiting a Worm

Ian Gizak wrote:

> I'm pentesting a client's network and I have found a Windows NT4 machine 
> with ports 620 and 621 TCP ports open.
> 
> When I netcat this port, it returns garbage binary strings. When I connect 
> to port 113 (auth), it replies with random USERIDs.
> 
> According to what I have found, this behaviour would mean the presence of 
> the Agobot worm.

That is too limited a set of observations to draw that conclusion for 
sure.  After all, the source of various variants of various forks of 
most of the vaguely "popular" bots is available (which is largely why 
those bots are "popular"), so could easily have been partially copied 
in making a "new" bot (and we see a lot of evidence suggesting that 
this happens often).  Likewise, some "key features" of any given 
mainstream bot are equally likely to have been derived from other, pre-
existing "publicly" available code...

> A full TCP scan revealed the following result:
<<snip>>
> I have checked the open ports and no-one seems to be the worm ftp server or 
> something useful related to the worm. Some ports allow input but don't reply 
> anything...
> 
> Does anyone knows a way to exploit this worm to get access to the system?

Well, that will depend on precisely what variant of what code you have 
listening on those ports, and even on what compiler and options the 
binary was built with AND the precise CPU architecture, OS and 
configuration options the code is running on.

Of course, if you can get a sample of the binary off the machine, you 
can reverse it and work out those answers for yourself, but I doubt 
anyone here can divine them for you, from this distance...

...

I take it the VNC ports didn't prove useful?  VNC is often installed by 
malware, with trivial ("qwerty", "1234", "admin", "root", etc, even 
null) access passwords...


Regards,

Nick FitzGerald

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ