For general information.. You did use NBT... NetBios Transport.. This is how you obtained IPC$ access to the box. \\ipaddress or \\computer name uses Netbios. the command mentioned earlier (nbtstat) lets you gather a little info.
ie; nbtstat -n (shows your own stuff) nbtstat -a ipaddress Reports netbios table of remote machine. I would recommend that all of you running 2k or NT server run nbtstat -a on your external NIC.. If you get information back then Netbios is open on that NIC. To disable it in NT simply go to bindings tab in network settings and disable WINS layer on external NIC.. Under 2k I believe its just the simple file and print sharing checkbox.. Personally I like NT's more technical approach to the bindings v/s 2k's more 95ish approach. This will keep people from even attempting to login and will also protect you against LSA exploits for winlogin. For these Nimda infected servers I did play around quite a bit the other nite with it. After I found that I could access hidden C$ directive I decided to see what else I could touch. With 2k professional I was able to remote manage all of the services for the infected machine. I was able to shutdown IIS, workstation, and server services on the box. Of course that wasnt very good because then I could not access c$ anymore and nimda was still resident. So After some more playing yesterday I found that some of these boxes still having the expoit for cmd.exe through IIS open, I was able to form a nice little IIS call and run a command on the infected machine. I performed the same exploit that nimda uses to test if cmd.exe?/c+dir worked and ran a route delete 0.0.0.0 mask 0.0.0.0 command. This immediately kicked the machine of the network and I was unable to ping it again. Of course these open exploits are not on all machines as some of them were patched for code red, it was neat that I did actually kick one of them off. Danny At 10/12/2001 03:17 PM, you wrote: >I toook a little walk through my logs as well, but all the machines I saw >I didn't need to use NBT, I simply entered \\ipaddress\c$ into the browser, >and up it came! no passwords necessary for the 15 machines I tried. >(I was going to be mean, but I liked the changing boot.ini to "Nimda Infected >Machine") > >garrett > >Windjammer <[EMAIL PROTECTED]> wrote: > >What is nbt.... some telnet thing? I'd like to try that and see what > happens... >LOL > > > >Danny Mallory wrote: > > > >> Well I was playing around tonight and this is really toooo funny. > >> As Nimda opens up the guest accounts on NT and 2k servers, I found > >> that on every IP that hit my log files I was able to nbt to them > >> > >> start/run > >> //ipaddress/c$ > >> user: anonymous > >> pswd: [EMAIL PROTECTED] > >> > >> And had full rights to their entire system.. > >> > >> So you guys tell me.. > >> > >> Should we stick this in a nice little batch file in their startup. > >> %windir%\rundll32.exe user,ExitWindows Exec > >> > >> Danny > >> > >> > -------------------------------------------------------------------------------- > >> For unsubscription of this list send an email to [EMAIL PROTECTED] with >email > >> data containing unsubscribe emailadd sambar > > > > > > > >------------------------------------------------------------------------- > ------- > >For unsubscription of this list send an email to [EMAIL PROTECTED] with >email > >data containing unsubscribe emailadd sambar > > > > >-------------------------------------------------------------------------------- >For unsubscription of this list send an email to [EMAIL PROTECTED] with >email >data containing unsubscribe emailadd sambar -------------------------------------------------------------------------------- For unsubscription of this list send an email to [EMAIL PROTECTED] with email data containing unsubscribe emailadd sambar
