Re: [Full-disclosure] Exploiting a Worm
From: Paul Farrow (augm58_at_dsl.pipex.com)
Date: Wed, 14 Sep 2005 00:01:17 +0100
Another thing you could do is install an anti-virus app or by some other
means identify the worm that is active and possibly get a variant
Find out how the worm installs itself, reverse engineer it, and remove it.
If youre interested in whats actually happening, install something like
etherreal win32 (will need libpcap) and listen to all the traffic for a
Hope Ive thrown some ideas out there...
Ian Gizak wrote:
> Hi list,
> I'm pentesting a client's network and I have found a Windows NT4
> machine with ports 620 and 621 TCP ports open.
> When I netcat this port, it returns garbage binary strings. When I
> connect to port 113 (auth), it replies with random USERIDs.
> According to what I have found, this behaviour would mean the presence
> of the Agobot worm.
> A full TCP scan revealed the following result:
> (The 29960 ports scanned but not shown below are in state: closed)
> PORT STATE SERVICE
> 21/tcp open ftp
> 25/tcp open smtp
> 80/tcp filtered http
> 113/tcp open auth
> 135/tcp filtered msrpc
> 137/tcp filtered netbios-ns
> 139/tcp filtered netbios-ssn
> 443/tcp open https
> 445/tcp filtered microsoft-ds
> 465/tcp open smtps
> 554/tcp open rtsp
> 621/tcp open unknown
> 622/tcp open unknown
> 1028/tcp open unknown
> 1031/tcp open iad2
> 1036/tcp open unknown
> 1720/tcp filtered H.323/Q.931
> 1755/tcp open wms
> 4600/tcp open unknown
> 5400/tcp filtered pcduo-old
> 5403/tcp filtered unknown
> 5554/tcp filtered unknown
> 5800/tcp open vnc-http
> 5900/tcp open vnc
> 6999/tcp filtered unknown
> 8080/tcp open http-proxy
> 9996/tcp filtered unknown
> 10028/tcp filtered unknown
> 10806/tcp filtered unknown
> 12278/tcp filtered unknown
> 14561/tcp filtered unknown
> 16215/tcp filtered unknown
> 17076/tcp filtered unknown
> 18420/tcp filtered unknown
> 18519/tcp filtered unknown
> 19464/tcp filtered unknown
> 20738/tcp filtered unknown
> 25717/tcp filtered unknown
> 25950/tcp filtered unknown
> 28974/tcp filtered unknown
> I have checked the open ports and no-one seems to be the worm ftp
> server or something useful related to the worm. Some ports allow input
> but don't reply anything...
> Does anyone knows a way to exploit this worm to get access to the system?
> Thanks in advance,
> Don't just search. Find. Check out the new MSN Search!
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/