On Wed, Jun 11, 2003 at 08:51:23AM +0200, Pavel Kankovsky wrote: > On Tue, 10 Jun 2003, Renaud Deraison wrote: > > > Connect to port 1080 and tell me if you see anything. > > If not, what happens when you send the letter "p" ? What happens when > > you send a cariage return ? > > argo:/home/peak $ echo p | ./nc INFECTED-HOST 1080 | od -t x1 > 0000000 2e 19 98 24 2f c2 e2 32 71 44 4b f3 63 c5 97 53 On Wed, Jun 11, 2003 at 12:11:28PM -0400, larosa, vjay wrote: > Hello Renaud, > 0x0040: 12 6B 45 2E 04 53 6F 16 0A A6 2B E6 C4 A0 4A A0 .kE..So...+...J. > 0x0050: 27 C8 B3 1D EB B7 3D 22 FD F2 A0 9B 2C F0 B9 DA '.....="....,... > 0x0060: F5 BC 22 5D 0C 92 82 9A 73 69 82 11 EB 18 98 95 .."]....si...... Okay, as one can tell, this thing outputs random data (from our point of view). Just to be sure, I got my hands on a copy of it and confirmed the "randomness" on a third host. So the attached plugin connects to the port and issues the "p" command. Then it connects back and sends "x" (which has no output). If we had a reply for "p" but not for "x", then we can assume that it's bugbear.b. (yeah yeah, I know I could have digged deeper). -- Renaud
This archive was generated by hypermail 2b30 : Wed Jun 11 2003 - 11:16:00 PDT