lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed Sep 14 00:06:03 2005
From: augm58 at dsl.pipex.com (Paul Farrow)
Subject: Exploiting a Worm

Another thing you could do is install an anti-virus app or by some other 
means identify the worm that is active and possibly get a variant 
version id.
Find out how the worm installs itself, reverse engineer it, and remove it.

If youre interested in whats actually happening, install something like 
etherreal win32 (will need libpcap) and listen to all the traffic for a 
while.

Hope Ive thrown some ideas out there...


Leetrifically,
  flame

Ian Gizak wrote:

> Hi list,
>
> I'm pentesting a client's network and I have found a Windows NT4 
> machine with ports 620 and 621 TCP ports open.
>
> When I netcat this port, it returns garbage binary strings. When I 
> connect to port 113 (auth), it replies with random USERIDs.
>
> According to what I have found, this behaviour would mean the presence 
> of the Agobot worm.
>
> A full TCP scan revealed the following result:
>
> (The 29960 ports scanned but not shown below are in state: closed)
> PORT      STATE    SERVICE
> 21/tcp    open     ftp
> 25/tcp    open     smtp
> 80/tcp    filtered http
> 113/tcp   open     auth
> 135/tcp   filtered msrpc
> 137/tcp   filtered netbios-ns
> 139/tcp   filtered netbios-ssn
> 443/tcp   open     https
> 445/tcp   filtered microsoft-ds
> 465/tcp   open     smtps
> 554/tcp   open     rtsp
> 621/tcp   open     unknown
> 622/tcp   open     unknown
> 1028/tcp  open     unknown
> 1031/tcp  open     iad2
> 1036/tcp  open     unknown
> 1720/tcp  filtered H.323/Q.931
> 1755/tcp  open     wms
> 4600/tcp  open     unknown
> 5400/tcp  filtered pcduo-old
> 5403/tcp  filtered unknown
> 5554/tcp  filtered unknown
> 5800/tcp  open     vnc-http
> 5900/tcp  open     vnc
> 6999/tcp  filtered unknown
> 8080/tcp  open     http-proxy
> 9996/tcp  filtered unknown
> 10028/tcp filtered unknown
> 10806/tcp filtered unknown
> 12278/tcp filtered unknown
> 14561/tcp filtered unknown
> 16215/tcp filtered unknown
> 17076/tcp filtered unknown
> 18420/tcp filtered unknown
> 18519/tcp filtered unknown
> 19464/tcp filtered unknown
> 20738/tcp filtered unknown
> 25717/tcp filtered unknown
> 25950/tcp filtered unknown
> 28974/tcp filtered unknown
>
> I have checked the open ports and no-one seems to be the worm ftp 
> server or something useful related to the worm. Some ports allow input 
> but don't reply anything...
>
> Does anyone knows a way to exploit this worm to get access to the system?
>
> Thanks in advance,
> Ian
>
> _________________________________________________________________
> Don't just search. Find. Check out the new MSN Search! 
> http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Powered by blists - more mailing lists