Re: [Full-disclosure] Exploiting a Worm
From: Frank Knobbe (frank_at_knobbe.us)
Date: 09/14/05
- Previous message: Ron Bidule: "[Full-disclosure] Security Conference"
- In reply to: Ian Gizak: "[Full-disclosure] Exploiting a Worm"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Ian Gizak <iangizak@hotmail.com> Date: Wed, 14 Sep 2005 11:39:06 -0500
On Tue, 2005-09-13 at 22:29 +0000, Ian Gizak wrote:
> I'm pentesting a client's network and I have found a Windows NT4 machine
> with ports 620 and 621 TCP ports open.
>
> When I netcat this port, it returns garbage binary strings. When I connect
> to port 113 (auth), it replies with random USERIDs.
> [...]
> I have checked the open ports and no-one seems to be the worm ftp server or
> something useful related to the worm. Some ports allow input but don't reply
> anything...
Could it be that you are buzzing around a honeypot like a moth around a
porch light? Or have to followed up with the client and can you rule it
out as a honeypot? Otherwise it's a very interesting port fingerprint
for an NT4 box :)
Cheers,
Frank
-- Ciscogate: Shame on Cisco. Double-Shame on ISS.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: Ron Bidule: "[Full-disclosure] Security Conference"
- In reply to: Ian Gizak: "[Full-disclosure] Exploiting a Worm"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
