lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <000901c5b8ba$96675770$6600a8c0@kpllaptop>
Date: Wed Sep 14 00:26:56 2005
From: lyal.collins at key2it.com.au (Lyal Collins)
Subject: Exploiting a Worm

If you get a packet capture, run it through an IDS platform with current
alert signatures, and see if it alerts on any traffic.
Or analyse outbound traffic destination from the machine - if traffic exits,
or trys to exit the company boundaries without valid reason, then it's not
good practice and should be cleaned up. 
Something that can work is adopting a message something like 'Because we
don't know what damage to the company is occuring, and don't have
time/resources to find out, we recommend that we <insert positive action
here> to prevent further damage' - YMMV

Lyal


-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Paul Farrow
Sent: Wednesday, 14 September 2005 9:01 AM
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Exploiting a Worm


Another thing you could do is install an anti-virus app or by some other 
means identify the worm that is active and possibly get a variant 
version id.
Find out how the worm installs itself, reverse engineer it, and remove it.

If youre interested in whats actually happening, install something like 
etherreal win32 (will need libpcap) and listen to all the traffic for a 
while.

Hope Ive thrown some ideas out there...


Leetrifically,
  flame

Ian Gizak wrote:

> Hi list,
>
> I'm pentesting a client's network and I have found a Windows NT4
> machine with ports 620 and 621 TCP ports open.
>
> When I netcat this port, it returns garbage binary strings. When I
> connect to port 113 (auth), it replies with random USERIDs.
>
> According to what I have found, this behaviour would mean the presence
> of the Agobot worm.
>
> A full TCP scan revealed the following result:
>
> (The 29960 ports scanned but not shown below are in state: closed)
> PORT      STATE    SERVICE
> 21/tcp    open     ftp
> 25/tcp    open     smtp
> 80/tcp    filtered http
> 113/tcp   open     auth
> 135/tcp   filtered msrpc
> 137/tcp   filtered netbios-ns
> 139/tcp   filtered netbios-ssn
> 443/tcp   open     https
> 445/tcp   filtered microsoft-ds
> 465/tcp   open     smtps
> 554/tcp   open     rtsp
> 621/tcp   open     unknown
> 622/tcp   open     unknown
> 1028/tcp  open     unknown
> 1031/tcp  open     iad2
> 1036/tcp  open     unknown
> 1720/tcp  filtered H.323/Q.931
> 1755/tcp  open     wms
> 4600/tcp  open     unknown
> 5400/tcp  filtered pcduo-old
> 5403/tcp  filtered unknown
> 5554/tcp  filtered unknown
> 5800/tcp  open     vnc-http
> 5900/tcp  open     vnc
> 6999/tcp  filtered unknown
> 8080/tcp  open     http-proxy
> 9996/tcp  filtered unknown
> 10028/tcp filtered unknown
> 10806/tcp filtered unknown
> 12278/tcp filtered unknown
> 14561/tcp filtered unknown
> 16215/tcp filtered unknown
> 17076/tcp filtered unknown
> 18420/tcp filtered unknown
> 18519/tcp filtered unknown
> 19464/tcp filtered unknown
> 20738/tcp filtered unknown
> 25717/tcp filtered unknown
> 25950/tcp filtered unknown
> 28974/tcp filtered unknown
>
> I have checked the open ports and no-one seems to be the worm ftp
> server or something useful related to the worm. Some ports allow input 
> but don't reply anything...
>
> Does anyone knows a way to exploit this worm to get access to the 
> system?
>
> Thanks in advance,
> Ian
>
> _________________________________________________________________
> Don't just search. Find. Check out the new MSN Search!
> http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ