On Thu, Oct 21, 1999 at 08:33:43PM +0100, Christoph Schneeberger wrote: > Hi, > I'm sorry if this is complete stupid but I can't explain what's going on. This is a joke right? You can't seriously be suggesting that they are betting the corporate nuckies on what you found. What was that IP address... (chuckle) > While scanning a customers public corporate website (on request) with nmap > (2.3BETA6 and 2.02) I found the following open ports: > Port State Protocol Service > 21 open tcp ftp Ok... They got an ftp server... Wonder if it's configured properly (on NT, it's almost impossible to "get it right" if anonymous login is allowed). Bet it's not considering what else is lurking... > 25 open tcp smtp Hmmm... Probably exchange or similar ilk... > 80 open tcp http And a web server... Probably IIS. Time to run a web scanner, holes gallor! > 135 open tcp loc-srv Normal NT. Access should never be allowed to the greater net. If I can connect to 135, I can own the family jewels in a blink. > 139 open tcp netbios-ssn Normal Windows. Also should never permit access from the greater net. There goes your data. Want to bet they've got the C$ and D$ adminstrative shares open to being raped? > 443 open tcp https Secure server (Oooo.... I'm impressed... Snicker.) > 465 open tcp smtps Oooo... Secure smtp... Now there is an oximoron. > 1027 open tcp unknown No clue... > 1030 open tcp iad1 BBN IAD? I don't believe it... Something not right there. The above two COULD be some sort of RPC services... I'll have to check with some other experts on them. > 12345 filtered tcp NetBus Hahahahahahaha... I wonder who owns the pretty boy! Hacked box. All bets are off now. > and udp: > Port State Protocol Service > 135 open udp loc-srv Normal NT. Bad juju if I can get to it. > 137 open udp netbios-ns Normal Windows. Also should never permit access from the greater net. Now I can dump your name tables and find your services... :-) > 138 open udp netbios-dgm Normal Windows. WINS and stuff... Should never be permitted to the greater net. > 31337 open udp BackOrifice Chump, chump, chump, chump... > Nothing special yet, netbus and bo happen to be on many pc's ;-) > The server is nt4 sp4 german with IIS 4 installed. Bo happens to be on many pc's! That's screwed, blued, and tattoed. They are hacked, had, and standing out in an open field nude in a hailstorm! > I then went with the customer through the following procedures: > -Connected with telnet to port 12345 of that machine and expected a banner > No luck (probably it has IP restrictions, a feature of netbus) BO didn't immediately ring the big red bell??????? That system is major hacked! > -Checking Registry and Disk for known malicious executables BO IS A MALICIOUS EXECUTABLE! Where have you BEEN! > No luck > -Checking services and running process for unknown things > Nothing strange or special (screenshot available) > -Installing Norman Data Defense AntiVirus with latest definitions > Nothing found > -Removing Norman and installing the latest Norton Antivirus for NT with > latest definitions > Nothing found > -Running netstat -an on the server in question > The two ports 12345 tcp and 31337 udp where not shown, all other listening > services were shown as expected. > -installing Back Orificer Friendly from http://www.nfr.net/bof/ on the > server (I hoped it would complain not being able to listen to 31337 udp) > Started and did not complain Get rid of BO first! > -I then connected to the server with 'netcat -u 31337' and typed some > random chars which should normally trigger bof to pop-up and notify the user > Nothing happened, all other ports like i.e. pop3 triggered bof immediately And that didn't alarm you?!?!?!?! Didn't that clue you in that bof wasn't triggering on data to 21337? In other words it wasn't listening on 31337! > So, am I missing a chapter or does this look like something really strange ? > What next steps would one take now ? BO installed... They're toast. > I really appreciate any help or hint. Two questionable. Two serious compromised sex lives. The port 1027 and 1030 are curious. May be nothing serious, may be everything serious. The two BO ports are dead serious. With BO on the system, nothing can be trusted. The machine is compromised. Even without BO there, with ports 135-139 tcp and udp open to access you have all the security of a tissue in a hurricane. > Cheers, > Christoph Schneeberger > SCS Telemedia Mike -- Michael H. Warfield | (770) 985-6132 | mhwat_private (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:44:51 PDT