[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] W32/Welchia, W32/Nachi backdoor?

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] W32/Welchia, W32/Nachi backdoor?
From: Joe Stewart <jstewart@xxxxxxxxx>
Date: Wed, 20 Aug 2003 13:49:51 -0400

On Wednesday 20 August 2003 11:20 am, Barry Irwin wrote:
> >creates a backdoor listening on TCP/707 or some other randomly chosen port
>
> between TCP/666 and >TCP/765 [2]
>
> Telnetting to this port seems to disconnected after 1-5 characters have
> been entered?  This doesn't look like TFTP (port 65/tcp&UDP), and the
> windows tftp client doesn't seem to offer any means of specifying a port to
> connect to?
>
> Is this some kind of password protected backdoor ?

No, it's a reverse shell. Telnet to the port and enter the following 2 lines
to see how it works:

Microsoft Windows
system32>

-Joe

-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ Corporation
http://www.lurhq.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: Re: [Full-Disclosure] Fwd: How to Steal a Mainframe
Next by Date: Re: [Full-Disclosure] RE: BAD NEWS: Microsoft Security Bulletin MS03-032
Previous by thread: RE: [Full-Disclosure] HTA/<object> vulnerability
Next by thread: [Full-Disclosure] MS03-039 has been released - critical
Index(es):
- Date
- Thread