| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1126715947.35135.16.camel@localhost> Date: Wed Sep 14 17:40:29 2005 From: frank at knobbe.us (Frank Knobbe) Subject: Exploiting a Worm On Tue, 2005-09-13 at 22:29 +0000, Ian Gizak wrote: > I'm pentesting a client's network and I have found a Windows NT4 machine > with ports 620 and 621 TCP ports open. > > When I netcat this port, it returns garbage binary strings. When I connect > to port 113 (auth), it replies with random USERIDs. > [...] > I have checked the open ports and no-one seems to be the worm ftp server or > something useful related to the worm. Some ports allow input but don't reply > anything... Could it be that you are buzzing around a honeypot like a moth around a porch light? Or have to followed up with the client and can you rule it out as a honeypot? Otherwise it's a very interesting port fingerprint for an NT4 box :) Cheers, Frank -- Ciscogate: Shame on Cisco. Double-Shame on ISS. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050914/b8270ad9/attachment.bin
Powered by blists - more mailing lists