| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed Sep 14 00:26:56 2005 From: lyal.collins at key2it.com.au (Lyal Collins) Subject: Exploiting a Worm If you get a packet capture, run it through an IDS platform with current alert signatures, and see if it alerts on any traffic. Or analyse outbound traffic destination from the machine - if traffic exits, or trys to exit the company boundaries without valid reason, then it's not good practice and should be cleaned up. Something that can work is adopting a message something like 'Because we don't know what damage to the company is occuring, and don't have time/resources to find out, we recommend that we <insert positive action here> to prevent further damage' - YMMV Lyal -----Original Message----- From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Paul Farrow Sent: Wednesday, 14 September 2005 9:01 AM Cc: full-disclosure@...ts.grok.org.uk Subject: Re: [Full-disclosure] Exploiting a Worm Another thing you could do is install an anti-virus app or by some other means identify the worm that is active and possibly get a variant version id. Find out how the worm installs itself, reverse engineer it, and remove it. If youre interested in whats actually happening, install something like etherreal win32 (will need libpcap) and listen to all the traffic for a while. Hope Ive thrown some ideas out there... Leetrifically, flame Ian Gizak wrote: > Hi list, > > I'm pentesting a client's network and I have found a Windows NT4 > machine with ports 620 and 621 TCP ports open. > > When I netcat this port, it returns garbage binary strings. When I > connect to port 113 (auth), it replies with random USERIDs. > > According to what I have found, this behaviour would mean the presence > of the Agobot worm. > > A full TCP scan revealed the following result: > > (The 29960 ports scanned but not shown below are in state: closed) > PORT STATE SERVICE > 21/tcp open ftp > 25/tcp open smtp > 80/tcp filtered http > 113/tcp open auth > 135/tcp filtered msrpc > 137/tcp filtered netbios-ns > 139/tcp filtered netbios-ssn > 443/tcp open https > 445/tcp filtered microsoft-ds > 465/tcp open smtps > 554/tcp open rtsp > 621/tcp open unknown > 622/tcp open unknown > 1028/tcp open unknown > 1031/tcp open iad2 > 1036/tcp open unknown > 1720/tcp filtered H.323/Q.931 > 1755/tcp open wms > 4600/tcp open unknown > 5400/tcp filtered pcduo-old > 5403/tcp filtered unknown > 5554/tcp filtered unknown > 5800/tcp open vnc-http > 5900/tcp open vnc > 6999/tcp filtered unknown > 8080/tcp open http-proxy > 9996/tcp filtered unknown > 10028/tcp filtered unknown > 10806/tcp filtered unknown > 12278/tcp filtered unknown > 14561/tcp filtered unknown > 16215/tcp filtered unknown > 17076/tcp filtered unknown > 18420/tcp filtered unknown > 18519/tcp filtered unknown > 19464/tcp filtered unknown > 20738/tcp filtered unknown > 25717/tcp filtered unknown > 25950/tcp filtered unknown > 28974/tcp filtered unknown > > I have checked the open ports and no-one seems to be the worm ftp > server or something useful related to the worm. Some ports allow input > but don't reply anything... > > Does anyone knows a way to exploit this worm to get access to the > system? > > Thanks in advance, > Ian > > _________________________________________________________________ > Don't just search. Find. Check out the new MSN Search! > http://search.msn.click-url.com/go/onm00200636ave/direct/01/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists