Re: Unknown Telnet server

From: akomolafe (deji@prontomail.com)
Date: 09/17/01


Message-ID: <001001c13f99$3d4c95e0$f701fe0a@commtouch.com>
From: "akomolafe" <deji@prontomail.com>
To: "James Fullerton" <James@RS25.com>, <focus-ms@securityfocus.com>
Subject: Re: Unknown Telnet server
Date: Mon, 17 Sep 2001 09:53:13 -0700

First, start by doing this:
netstat -an |find /i "listening"
That should give you a list of ports that the desktop is listening on. From
this, you should be able to see what's being used. Then jump over to
http://www.simovits.com/nyheter9902.html and compare what you see with
what's listed there.

Then, the obvious place to look in will be the task manager. Of course, if
it's a funny telnet server/client, this could be hidden from the task list.

Now, hurry over to foundstone.com and get fport. Run it and get a list of
ports/applications on the desktop. Examine the list to see what is related
to the telnet server or what is running that shouldn't be. Beware of the
usual name disguise that is commonly used to hide illicit apps/trojans.
Explorer.exe looks very much like Exp1orer.exe, so examine your list
carefully.

Next (or maybe it should be FIRST), look at the Run, RunOnce, and RunOnceEx
hives of the desktop's registry and see what's in there. If you find
ANYTHING, you don't recognize, disable it, then trace it back to its path,
find its exe and research that.

HTH

Deji
----- Original Message -----
From: "James Fullerton" <James@RS25.com>
To: <focus-ms@securityfocus.com>
Sent: Friday, September 14, 2001 8:38 PM
Subject: Unknown Telnet server

> Hello all,
>
> Wondering if someone can help me out. My employer has asked me to do a
> security test of their network, using ANY method I can to find holes in
the
> network. So far I have only one tiny hole. It's a Telnet server running
on
> someone's desktop computer which has a hole through the firewall.
However,
> I have no idea what Telnet server it is, and if there are any exploits
that
> I could use against it. The only thing it does is, when I connect, says:
>
> Hello>
>
> Anything I type disconnects me, but I can connect over and over again.
>
> Any idea on what type of Telnet server that is? Chances are that it is
> running on Windows NT 4.0 with SP6, but it could be on NT server or
(slight
> chance) 2000 Server.
>
> Also, does anyone know of a brute-force password guessing tool I could try
> and use against it?
>
> Thanks,
>
>
> James F
> James@RS25.com
> Web Technical Lead
>
>



Relevant Pages

  • Re[2]: Unknown Telnet server
    ... Subject: Unknown Telnet server ... (original message has been altered to correct quoting) ... I assume it is a telnet server because it runs on port 23 ... > I can use outside of the firewall? ...
    (Focus-Microsoft)
  • RE: Unknown Telnet server
    ... Subject: Unknown Telnet server ... Use fport.exe on the client workstation which will show all the listening ... So far I have only one tiny hole. ...
    (Focus-Microsoft)
  • RE: Unknown Telnet server
    ... Subject: Unknown Telnet server ... exploits for the MS telnet server, but that's not to say that there aren't ... telnet server just increases your chances of finding an exploit. ... So far I have only one tiny hole. ...
    (Focus-Microsoft)
  • Unknown Telnet server
    ... security test of their network, using ANY method I can to find holes in the ... So far I have only one tiny hole. ... It's a Telnet server running on ... Chances are that it is ...
    (Focus-Microsoft)