Penetration Testing mailing list archives
Re: [Full-disclosure] Exploiting a Worm
From: Dave Dittrich <dittrich () u washington edu>
Date: Tue, 13 Sep 2005 16:19:00 -0700 (PDT)
I'm pentesting a client's network and I have found a Windows NT4 machine with ports 620 and 621 TCP ports open. According to what I have found, this behaviour would mean the presence of the Agobot worm.
First, Agobot is not exactly a "worm", per se, although it can be programmed to act like a worm. It is a bot, "blended threat", or "remote control trojan on steriods," but not really a worm like Sasser, Blaster, Slammer, etc.
When I netcat this port, it returns garbage binary strings. When I connect to port 113 (auth), it replies with random USERIDs.
As a general rule, it isn't wise to poke around ports on a compromised host without knowing exactly what is going on. The port that returns you "garbage" characters is a file transfer, and that file transfer is logged to the channel (allowing the attacker a feedback loop.) (If you were capturing network traffic to/from that host, look for your IP address in the IRC channel traffic and you'll see it. :)
Does anyone knows a way to exploit this worm to get access to the system?
Assuming you are correct that it is Agobot, there may be options, but then you wouldn't know if the attacker has changed anything that would make the bot harder to take over. Have you tried getting someone with administrative access to look at the host? If you're doing a pen test, and you discover that the client's network is already compromised, hadn't you better inform them of this now? -- Dave Dittrich Information Assurance Researcher, dittrich () u washington edu The iSchool http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE97 0C57 0843 F3EB 49A1 0CD0 8E0C D0BE C838 CCB5 ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Exploiting a Worm Ian Gizak (Sep 14)
- Re: Exploiting a Worm Paul Robertson (Sep 15)
- Re: Exploiting a Worm Craig Holmes (Sep 15)
- Re: Exploiting a Worm Marco Monicelli (Sep 15)
- <Possible follow-ups>
- Exploiting a Worm Ian Gizak (Sep 14)
- RE: [Full-disclosure] Exploiting a Worm Aditya Deshmukh (Sep 14)
- Re: [Full-disclosure] Exploiting a Worm Dave Dittrich (Sep 14)
- Re: [Full-disclosure] Exploiting a Worm Karma (Sep 14)
- RE: Exploiting a Worm Drage, Nick (Sep 16)