RE: Netbus ?

Tue, 25 Jan 2000 14:27:21 -0800 


TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------

On Sat, 22 Jan 2000, you wrote:
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
> [EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any problems!
> ----------------------------------------------------------------------------
> 
> Keep in mind that they may be also running this as a daemon to lure script
> kiddies. I have done this myself.  Do notify the victimsystem as a courtesy.
> 
> Rob
> 
> /------------------------------------------/
> Robert Zachary
> Analyst
> Information Security
> Tandy Information Services
> 817.415.0675
> [EMAIL PROTECTED] 
> 
> > -----Original Message-----
> > From: Gary McIntyre [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, January 21, 2000 2:12 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Netbus ?
> > 
> > 
> > TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of 
> > your message to
> > [EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help 
> > with any problems!
> > --------------------------------------------------------------
> > --------------
> > 
> > 
> > It certainly looks that way.  I know of no legitimate 
> > applications which
> > hold port 12345 open for sessions, besides NetBus.  Have you 
> > informed the
> > various victims of the problem?
> > 
> > Gary McIntyre
> > Network Consultant
> > LGS Group Inc.
> > [EMAIL PROTECTED]
> > 
> > This user's PGP Public Keys can be
> > obtained from certserver.pgp.com
> > 
> > ----- Original Message -----
> > From: "Data_surge <[EMAIL PROTECTED]>@LGS"
> > <IMCEANOTES-Data+5Fsurge+20+3CGn0+40datasurge+2Ecom+3E+40LGS@e
> > -commerce.com>
> > To: "[EMAIL PROTECTED]" 
> > <[EMAIL PROTECTED]>
> > Sent: Friday, January 21, 2000 2:40 PM
> > Subject: Netbus ?
> > 
> > 
> > >
> > > TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of 
> > your message
> > to
> > > [EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any
> > > problems!
> > > 
> > --------------------------------------------------------------
> > ------------
> > --
> > >
> > > Hey there all,
> > > Lately i have been scanning a number of host for record 
> > purposes, and on a
> > > number of large isp and e-commerce sites i have found a 
> > port open for
> > netbus
> > > the
> > > port is 12345  i did not beleive it at first and got my 
> > port listing docs
> > > out
> > > to verify that it was something elese and on both counts it came up
> > > unverified.
> > > I can say safley say that the largest isp in my country has 
> > been ifected
> > > with
> > > netbus. Here is one of the logs.
> > > Starting nmap V. 2.3BETA13 by [EMAIL PROTECTED]
> > ( www.insecure.org/nmap/ )
> > > Interesting ports on the url ? (a ip:0)
> > > Port    State       Protocol  Service
> > > 21      open        tcp       ftp
> > > 22      open        tcp       ssh
> > > 23      open        tcp       telnet
> > > 25      open        tcp       smtp
> > > 53      open        tcp       domain
> > > 80      open        tcp       http
> > > 110     open        tcp       pop-3
> > > 111     open        tcp       sunrpc
> > > 443     open        tcp       https
> > > 12345   open       tcp      NetBus
> > >
> > > TCP Sequence Prediction: Class=random positive increments
> > >                          Difficulty=34403 (Worthy challenge)
> > > Remote operating system guess: FreeBSD 2.2.1 - 3.2
> > >
> > > Nmap run completed -- 1 IP address (1 host up) scanned in 65 seconds
> > >
> > >
> > 
> > 
> > 
> >

Very good points about the netbus running on a freeBSD,being that netbus is
windows based maby a machine running as a client connected to the freeBSD or
is connected to it throught http and the scanner scanning it as if they where
the same machine kinda like one machine haveing ten ip address's.
When they where scanned it was just a doman name e.g check.com after the scan
was complete it listed users.isp.com nameing the isp in question, so i scanned
that to see what it was and that was the first log file i put up here. The
second listing 2 netbuses on windows so i think a script is out of the
question.....  somehow netbus has or is showing that it has infected the
freeBSD i know it sounds impossible but that is what the scans are showing.


Starting nmap V. 2.3BETA13 by [EMAIL PROTECTED] (
www.insecure.org/nmap/ )  Interesting ports on url (a ip.0:)
Port    State       Protocol  Service
21      open        tcp       ftp                     
23      filtered    tcp       telnet                  
80      open        tcp       http                    
81      open        tcp       hosts2-ns               
135     filtered    tcp       loc-srv                 
137     filtered    tcp       netbios-ssn              
138     filtered    tcp       netbios-ssn             
139     filtered    tcp       netbios-ssn             
1433    filtered    tcp       ms-sql-s                
5000    filtered    tcp       fics                    
12345   filtered    tcp       NetBus                  
12346   filtered    tcp       NetBus                  

TCP Sequence Prediction: Class=trivial time dependency
                         Difficulty=19 (Easy)
Remote operating system guess: Win NT4 / Win / Win run completed -- 1 IP address (1 
host up) scanned in 64 seconds

Reply via email to