|
<<
^
>>
Date: 1998-10-18
Gefaehrlich: Trojaner Netbus fuer Windows NT
-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
q/depesche 98.10.18/1
updating 98.8/13/1
Gefaehrlich: Trojaner Netbus fuer Windows NT
Was bei Back Orifice zu erwarten war, ist unter anderem
Namen jetzt passiert. NetBus, eine genauso kleine wie
gemeine Client-Server Applikation läuft im Unterschied zu
Back Orifice auch auf Windows NT. Und es gibt noch mehr
reichhaltige Features, um die Maschinen nichtsahnender
User, die sich NetBus mit einem Screensaver oder in Chats
gefangen haben, zu booten, Daten abzusau/gen oder
sonstwie zu manipulieren.
Dafür ist Netbus etwas einfacher zu finden, weil es mit Port
12345 anscheinend monogam verbunden ist.
relayee par [email protected]
-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
Determining if NetBus has been installed on your machine:
NetBus uses TCP for communication, and always uses ports
12345 and 12346 for listening for connections. netstat will tell
you if NetBus is installed if you issue the command 'netstat -
an | find "12345"'. Then, start the windows 'telnet' program
and connect to 'localhost' at port 12345. If NetBus is
installed, a string similar to 'NetBus 1.53' or 'NetBus 1.60 x'
will be displayed when you connect.
NetBus's protocol is not encrypted and the commands have
a simple format: the name of the command, followed by a
semicolon, followed by the arguments separated by
semicolons. It is possible to set a password on the NetBus
server, and the password is stored in the registry as plaintext
at HKEY_CURRENT_USER\Patch\Settings\ServerPwd. X-
Force has discovered that there is a backdoor in NetBus that
will allow anyone to connect with no password. When the
client sends the password to the server, it sends a string
similar to 'Password;0;my_password'. If the client uses a 1
instead of a 0, you will be authenticated with any password.
By default, the NetBus server is called 'Patch.exe', but it can
be renamed.
There are two ways to remove NetBus, depending on what
version you use:
- - For versions 1.5x, the instructions to remove NetBus are
located at http://members.spree.com/NetBus/remove_1.html.
- - For version 1.6, the removal instructions are at
http://members.spree.com/NetBus/remove_2.html. You can
remove any installation of NetBus 1.6 by telneting to the
machine at port 12345, typing 'Password;1;', pressing enter,
typing 'RemoveServer;1', and pressing enter. You will be
disconnected, NetBus will be disabled and will no longer run
at startup. You will have to delete Patch.exe from you
Windows directory if you want to completely remove NetBus.
This procedure works even if there is a password set,
however it doesn't work with the 1.5x versions.
full text
http://www.tbtf.com/resource/iss-backdoor.txt
related story
http://www.zdnet.de/produkte/artikel/sw/199811/report07-
wf.html
-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
edited by
published on: 1998-10-18
comments to [email protected]
subscribe Newsletter
- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
<<
^
>>
|
|
|
|