From: Karma (karma@frij.com)
Date: Tue Sep 13 2005 - 20:41:09 EDT
probably a bot. I would send a copy of the bot away, either quarantine the
machine for forensics or reinstall it.
Some bots still require identd service but many don' anymore.
----- Original Message -----
From: "Ian Gizak" <iangizak@hotmail.com>
To: <pen-test@securityfocus.com>
Sent: Wednesday, September 14, 2005 8:17 AM
Subject: [Full-disclosure] Exploiting a Worm
> Hi list,
>
> I'm pentesting a client's network and I have found a Windows NT4 machine
> with ports 620 and 621 TCP ports open.
>
> When I netcat this port, it returns garbage binary strings. When I connect
> to port 113 (auth), it replies with random USERIDs.
>
> According to what I have found, this behaviour would mean the presence of
> the Agobot worm.
>
> A full TCP scan revealed the following result:
>
> (The 29960 ports scanned but not shown below are in state: closed)
> PORT STATE SERVICE
> 21/tcp open ftp
> 25/tcp open smtp
> 80/tcp filtered http
> 113/tcp open auth
> 135/tcp filtered msrpc
> 137/tcp filtered netbios-ns
> 139/tcp filtered netbios-ssn
> 443/tcp open https
> 445/tcp filtered microsoft-ds
> 465/tcp open smtps
> 554/tcp open rtsp
> 621/tcp open unknown
> 622/tcp open unknown
> 1028/tcp open unknown
> 1031/tcp open iad2
> 1036/tcp open unknown
> 1720/tcp filtered H.323/Q.931
> 1755/tcp open wms
> 4600/tcp open unknown
> 5400/tcp filtered pcduo-old
> 5403/tcp filtered unknown
> 5554/tcp filtered unknown
> 5800/tcp open vnc-http
> 5900/tcp open vnc
> 6999/tcp filtered unknown
> 8080/tcp open http-proxy
> 9996/tcp filtered unknown
> 10028/tcp filtered unknown
> 10806/tcp filtered unknown
> 12278/tcp filtered unknown
> 14561/tcp filtered unknown
> 16215/tcp filtered unknown
> 17076/tcp filtered unknown
> 18420/tcp filtered unknown
> 18519/tcp filtered unknown
> 19464/tcp filtered unknown
> 20738/tcp filtered unknown
> 25717/tcp filtered unknown
> 25950/tcp filtered unknown
> 28974/tcp filtered unknown
>
> I have checked the open ports and no-one seems to be the worm ftp server
> or something useful related to the worm. Some ports allow input but don't
> reply anything...
>
> Does anyone knows a way to exploit this worm to get access to the system?
>
> Thanks in advance,
> Ian
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today it's FREE!
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:53 EDT