Penetration Testing mailing list archives

Re: [Full-disclosure] Exploiting a Worm

From: Dave Dittrich <dittrich () u washington edu>
Date: Tue, 13 Sep 2005 16:19:00 -0700 (PDT)

I'm pentesting a client's network and I have found a Windows NT4 machine
with ports 620 and 621 TCP ports open.

According to what I have found, this behaviour would mean the presence of
the Agobot worm.


First, Agobot is not exactly a "worm", per se, although it can
be programmed to act like a worm.  It is a bot, "blended threat",
or "remote control trojan on steriods," but not really a worm like
Sasser, Blaster, Slammer, etc.

When I netcat this port, it returns garbage binary strings. When I connect
to port 113 (auth), it replies with random USERIDs.


As a general rule, it isn't wise to poke around ports on a compromised
host without knowing exactly what is going on.  The port that returns
you "garbage" characters is a file transfer, and that file transfer is
logged to the channel (allowing the attacker a feedback loop.)
(If you were capturing network traffic to/from that host, look for
your IP address in the IRC channel traffic and you'll see it. :)

Does anyone knows a way to exploit this worm to get access to the system?


Assuming you are correct that it is Agobot, there may be options, but
then you wouldn't know if the attacker has changed anything that would
make the bot harder to take over.  Have you tried getting someone with
administrative access to look at the host?  If you're doing a pen
test, and you discover that the client's network is already
compromised, hadn't you better inform them of this now?

--
Dave Dittrich                           Information Assurance Researcher,
dittrich () u washington edu               The iSchool
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE97 0C57 0843 F3EB 49A1  0CD0 8E0C D0BE C838 CCB5

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

Current thread:

Exploiting a Worm Ian Gizak (Sep 14)
- Re: Exploiting a Worm Paul Robertson (Sep 15)
- Re: Exploiting a Worm Craig Holmes (Sep 15)
- Re: Exploiting a Worm Marco Monicelli (Sep 15)
- <Possible follow-ups>
- Exploiting a Worm Ian Gizak (Sep 14)
  - RE: [Full-disclosure] Exploiting a Worm Aditya Deshmukh (Sep 14)
  - Re: [Full-disclosure] Exploiting a Worm Dave Dittrich (Sep 14)
  - Re: [Full-disclosure] Exploiting a Worm Karma (Sep 14)
- RE: Exploiting a Worm Drage, Nick (Sep 16)