On Tue, 2005-09-13 at 22:29 +0000, Ian Gizak wrote: > I'm pentesting a client's network and I have found a Windows NT4 machine > with ports 620 and 621 TCP ports open. > > When I netcat this port, it returns garbage binary strings. When I connect > to port 113 (auth), it replies with random USERIDs. > [...] > I have checked the open ports and no-one seems to be the worm ftp server or > something useful related to the worm. Some ports allow input but don't reply > anything... Could it be that you are buzzing around a honeypot like a moth around a porch light? Or have to followed up with the client and can you rule it out as a honeypot? Otherwise it's a very interesting port fingerprint for an NT4 box :) Cheers, Frank -- Ciscogate: Shame on Cisco. Double-Shame on ISS.
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/