Re: [Full-disclosure] Exploiting a Worm
From: Frank Knobbe (frank_at_knobbe.us)
To: Ian Gizak <email@example.com> Date: Wed, 14 Sep 2005 11:39:06 -0500
On Tue, 2005-09-13 at 22:29 +0000, Ian Gizak wrote:
> I'm pentesting a client's network and I have found a Windows NT4 machine
> with ports 620 and 621 TCP ports open.
> When I netcat this port, it returns garbage binary strings. When I connect
> to port 113 (auth), it replies with random USERIDs.
> I have checked the open ports and no-one seems to be the worm ftp server or
> something useful related to the worm. Some ports allow input but don't reply
Could it be that you are buzzing around a honeypot like a moth around a
porch light? Or have to followed up with the client and can you rule it
out as a honeypot? Otherwise it's a very interesting port fingerprint
for an NT4 box :)
-- Ciscogate: Shame on Cisco. Double-Shame on ISS.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- application/pgp-signature attachment: This is a digitally signed message part