Re: [Full-disclosure] Exploiting a Worm

From: Paul Farrow (augm58_at_dsl.pipex.com)
Date: 09/14/05

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-disclosure] Exploiting a Worm"
    Date: Wed, 14 Sep 2005 00:01:17 +0100
    
    

    Another thing you could do is install an anti-virus app or by some other
    means identify the worm that is active and possibly get a variant
    version id.
    Find out how the worm installs itself, reverse engineer it, and remove it.

    If youre interested in whats actually happening, install something like
    etherreal win32 (will need libpcap) and listen to all the traffic for a
    while.

    Hope Ive thrown some ideas out there...

    Leetrifically,
      flame

    Ian Gizak wrote:

    > Hi list,
    >
    > I'm pentesting a client's network and I have found a Windows NT4
    > machine with ports 620 and 621 TCP ports open.
    >
    > When I netcat this port, it returns garbage binary strings. When I
    > connect to port 113 (auth), it replies with random USERIDs.
    >
    > According to what I have found, this behaviour would mean the presence
    > of the Agobot worm.
    >
    > A full TCP scan revealed the following result:
    >
    > (The 29960 ports scanned but not shown below are in state: closed)
    > PORT STATE SERVICE
    > 21/tcp open ftp
    > 25/tcp open smtp
    > 80/tcp filtered http
    > 113/tcp open auth
    > 135/tcp filtered msrpc
    > 137/tcp filtered netbios-ns
    > 139/tcp filtered netbios-ssn
    > 443/tcp open https
    > 445/tcp filtered microsoft-ds
    > 465/tcp open smtps
    > 554/tcp open rtsp
    > 621/tcp open unknown
    > 622/tcp open unknown
    > 1028/tcp open unknown
    > 1031/tcp open iad2
    > 1036/tcp open unknown
    > 1720/tcp filtered H.323/Q.931
    > 1755/tcp open wms
    > 4600/tcp open unknown
    > 5400/tcp filtered pcduo-old
    > 5403/tcp filtered unknown
    > 5554/tcp filtered unknown
    > 5800/tcp open vnc-http
    > 5900/tcp open vnc
    > 6999/tcp filtered unknown
    > 8080/tcp open http-proxy
    > 9996/tcp filtered unknown
    > 10028/tcp filtered unknown
    > 10806/tcp filtered unknown
    > 12278/tcp filtered unknown
    > 14561/tcp filtered unknown
    > 16215/tcp filtered unknown
    > 17076/tcp filtered unknown
    > 18420/tcp filtered unknown
    > 18519/tcp filtered unknown
    > 19464/tcp filtered unknown
    > 20738/tcp filtered unknown
    > 25717/tcp filtered unknown
    > 25950/tcp filtered unknown
    > 28974/tcp filtered unknown
    >
    > I have checked the open ports and no-one seems to be the worm ftp
    > server or something useful related to the worm. Some ports allow input
    > but don't reply anything...
    >
    > Does anyone knows a way to exploit this worm to get access to the system?
    >
    > Thanks in advance,
    > Ian
    >
    > _________________________________________________________________
    > Don't just search. Find. Check out the new MSN Search!
    > http://search.msn.click-url.com/go/onm00200636ave/direct/01/
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    > Hosted and sponsored by Secunia - http://secunia.com/
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-disclosure] Exploiting a Worm"

    Relevant Pages

    • RE: [Full-disclosure] Exploiting a Worm
      ... alert signatures, and see if it alerts on any traffic. ... Subject: Exploiting a Worm ... > When I netcat this port, ... > 5403/tcp filtered unknown ...
      (Full-Disclosure)
    • Re: [Full-disclosure] Exploiting a Worm
      ... > When I netcat this port, ... > the Agobot worm. ... > 5403/tcp filtered unknown ... Check out the new MSN Search! ...
      (Full-Disclosure)
    • Re: [Full-disclosure] Exploiting a Worm
      ... I would send a copy of the bot away, ... Subject: Exploiting a Worm ... > When I netcat this port, ... > 5403/tcp filtered unknown ...
      (Pen-Test)
    • Exploiting a Worm
      ... with ports 620 and 621 TCP ports open. ... the Agobot worm. ... 5403/tcp filtered unknown ... Cross site scripting and other web attacks before hackers do! ...
      (Pen-Test)
    • Exploiting a Worm
      ... with ports 620 and 621 TCP ports open. ... the Agobot worm. ... 5403/tcp filtered unknown ... Cross site scripting and other web attacks before hackers do! ...
      (Pen-Test)