|
search / subscribe / upload / contact |
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
| RSS-Feed Depeschen |  |
|
|
||
|
||
Date: 1998-10-18
Gefaehrlich: Trojaner Netbus fuer Windows NT-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- updating 98.8/13/1 Gefaehrlich: Trojaner Netbus fuer Windows NT Was bei Back Orifice zu erwarten war, ist unter anderem Namen jetzt passiert. NetBus, eine genauso kleine wie gemeine Client-Server Applikation läuft im Unterschied zu Back Orifice auch auf Windows NT. Und es gibt noch mehr reichhaltige Features, um die Maschinen nichtsahnender User, die sich NetBus mit einem Screensaver oder in Chats gefangen haben, zu booten, Daten abzusau/gen oder sonstwie zu manipulieren. Dafür ist Netbus etwas einfacher zu finden, weil es mit Port 12345 anscheinend monogam verbunden ist. relayee par m.vesely@magnet.at -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- Determining if NetBus has been installed on your machine: NetBus uses TCP for communication, and always uses ports 12345 and 12346 for listening for connections. netstat will tell you if NetBus is installed if you issue the command 'netstat - an | find "12345"'. Then, start the windows 'telnet' program and connect to 'localhost' at port 12345. If NetBus is installed, a string similar to 'NetBus 1.53' or 'NetBus 1.60 x' will be displayed when you connect. NetBus's protocol is not encrypted and the commands have a simple format: the name of the command, followed by a semicolon, followed by the arguments separated by semicolons. It is possible to set a password on the NetBus server, and the password is stored in the registry as plaintext at HKEY_CURRENT_USER\Patch\Settings\ServerPwd. X- Force has discovered that there is a backdoor in NetBus that will allow anyone to connect with no password. When the client sends the password to the server, it sends a string similar to 'Password;0;my_password'. If the client uses a 1 instead of a 0, you will be authenticated with any password. By default, the NetBus server is called 'Patch.exe', but it can be renamed. There are two ways to remove NetBus, depending on what version you use: - - For versions 1.5x, the instructions to remove NetBus are located at http://members.spree.com/NetBus/remove_1.html. - - For version 1.6, the removal instructions are at http://members.spree.com/NetBus/remove_2.html. You can remove any installation of NetBus 1.6 by telneting to the machine at port 12345, typing 'Password;1;', pressing enter, typing 'RemoveServer;1', and pressing enter. You will be disconnected, NetBus will be disabled and will no longer run at startup. You will have to delete Patch.exe from you Windows directory if you want to completely remove NetBus. This procedure works even if there is a password set, however it doesn't work with the 1.5x versions. full text http://www.tbtf.com/resource/iss-backdoor.txt related story http://www.zdnet.de/produkte/artikel/sw/199811/report07- wf.html -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- - -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- edited by published on: 1998-10-18 comments to office@quintessenz.at subscribe Newsletter - -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- 
|
|
|
 |
CURRENTLY RUNNING |
q/Talk 1.Juli: The Danger of Software Users Don't Control
|
|
|
!WATCH OUT! |
bits4free 14.Juli 2011: OpenStreetMap Erfinder Steve Coast live in Wien
|
|