From: Nicolas Gregoire (ngregoire@exaprobe.com)
Date: Tue Sep 16 2003 - 03:21:47 EDT
On Tue, 2003-09-16 at 05:33, Bryan Miller wrote:
> During a pen test yesterday I came across TCP port 6501. Upon
> connecting to it via Netcat, I received the following screen:
>
> 220-W4A BotServ 2.0
> 220-==============================================
> 220-You are Connecting From x.x.x.x
> [...]
> 220-Total Kb downloaded: 0 Kb
> 220-Total Kb uploaded: 0 Kb
> 220-Amout of Files downloaded: 0
> [..]
>
> Has anyone seen this before? Am I correct in assuming it's some form
> of IRC bot? If so, how do I talk to it to verify? Does it have some
> interesting uses?
It's a "stro". This also known as a "private warez server".
I sometimes found them on some big bandwith compromised boxes. Warn your
customer and try to give a closer look to this box. Beware of Win32
rootkits, they could hide processes and network connections to "local"
tools (netstat, ...) and are often used on stros.
Regards,
-- Nicolas Gregoire ----- Consultant en Sécurité des Systèmes d'Information ngregoire@exaprobe.com ------[ ExaProbe ]------ http://www.exaprobe.com/ PGP KeyID:CA61B44F FingerPrint:1CC647FF1A55664BA2D2AFDACA6A21DACA61B44F --------------------------------------------------------------------------- FREE Trial! New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL and PROFESSIONAL TL software. Fast, reliable vulnerability assessment technology powered by the award-winning FoundScan engine. Try it free for 21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825 ----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:40 EDT