lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <6450e99d05091321247f6beaa1@mail.gmail.com>
Date: Wed Sep 14 05:24:27 2005
From: ivanhec at gmail.com (Ivan .)
Subject: Exploiting a Worm

Ian,

Have you hit the box with nessus?

cheers
Ivan

On 9/14/05, Ian Gizak <iangizak@...mail.com> wrote:
> Hi list,
> 
> I'm pentesting a client's network and I have found a Windows NT4 machine
> with ports 620 and 621 TCP ports open.
> 
> When I netcat this port, it returns garbage binary strings. When I connect
> to port 113 (auth), it replies with random USERIDs.
> 
> According to what I have found, this behaviour would mean the presence of
> the Agobot worm.
> 
> A full TCP scan revealed the following result:
> 
> (The 29960 ports scanned but not shown below are in state: closed)
> PORT      STATE    SERVICE
> 21/tcp    open     ftp
> 25/tcp    open     smtp
> 80/tcp    filtered http
> 113/tcp   open     auth
> 135/tcp   filtered msrpc
> 137/tcp   filtered netbios-ns
> 139/tcp   filtered netbios-ssn
> 443/tcp   open     https
> 445/tcp   filtered microsoft-ds
> 465/tcp   open     smtps
> 554/tcp   open     rtsp
> 621/tcp   open     unknown
> 622/tcp   open     unknown
> 1028/tcp  open     unknown
> 1031/tcp  open     iad2
> 1036/tcp  open     unknown
> 1720/tcp  filtered H.323/Q.931
> 1755/tcp  open     wms
> 4600/tcp  open     unknown
> 5400/tcp  filtered pcduo-old
> 5403/tcp  filtered unknown
> 5554/tcp  filtered unknown
> 5800/tcp  open     vnc-http
> 5900/tcp  open     vnc
> 6999/tcp  filtered unknown
> 8080/tcp  open     http-proxy
> 9996/tcp  filtered unknown
> 10028/tcp filtered unknown
> 10806/tcp filtered unknown
> 12278/tcp filtered unknown
> 14561/tcp filtered unknown
> 16215/tcp filtered unknown
> 17076/tcp filtered unknown
> 18420/tcp filtered unknown
> 18519/tcp filtered unknown
> 19464/tcp filtered unknown
> 20738/tcp filtered unknown
> 25717/tcp filtered unknown
> 25950/tcp filtered unknown
> 28974/tcp filtered unknown
> 
> I have checked the open ports and no-one seems to be the worm ftp server or
> something useful related to the worm. Some ports allow input but don't reply
> anything...
> 
> Does anyone knows a way to exploit this worm to get access to the system?
> 
> Thanks in advance,
> Ian
> 
> _________________________________________________________________
> Don't just search. Find. Check out the new MSN Search!
> http://search.msn.click-url.com/go/onm00200636ave/direct/01/
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ