Definitely a honeypot... UDP responses on every port! You running nepenthes on that thing?
:) -----Original Message----- From: Christopher Boggs [mailto:[EMAIL PROTECTED] Sent: Thursday, March 13, 2008 3:00 PM To: NT System Admin Issues Subject: RE: Remote server won't allow management TCP: 206.18.123.211 [21-ftp] TCP: 206.18.123.211 [110-pop3] TCP: 206.18.123.211 [80-www-http] TCP: 206.18.123.211 [443-https] -----Original Message----- From: David W. McSpadden [mailto:[EMAIL PROTECTED] Sent: Thursday, March 13, 2008 2:55 PM To: NT System Admin Issues Subject: Re: Remote server won't allow management 206.18.123.211 have at it. I don't think it is advertising at the moment though. ----- Original Message ----- From: "Peter van Houten" <[EMAIL PROTECTED]> To: "NT System Admin Issues" <[email protected]> Sent: Thursday, March 13, 2008 3:36 PM Subject: Re: Remote server won't allow management > OK, so nmap against ports 1433 and 1434 and then grab your metasploit or > head over here: > > http://tinyurl.com/rcah3 > > Alternatively, give the list the box's ip address and an offer of > $(datacentre_charge_per_hour-1) for the 1st successful reboot ;-) > > > On the 13/03/2008 20:59, David W. McSpadden wrote the following: >> Yeah I know. >> It's actually a honeypot when it is up. >> Haven't had any real biters though. >> >> ----- Original Message ----- From: "Salvador Manzo" <[EMAIL PROTECTED]> >> To: "NT System Admin Issues" <[email protected]> >> Sent: Thursday, March 13, 2008 2:48 PM >> Subject: Re: Remote server won't allow management >> >> >> Wow. That's an exploit waiting to happen. >> >> >> On 3/13/08 11:43 AM, "David W. McSpadden" <[EMAIL PROTECTED]> wrote: >> >>> It does has SQL 2000 on it. With a blank SA password....... >>> ----- Original Message ----- >>> From: "Peter van Houten" <[EMAIL PROTECTED]> >>> To: "NT System Admin Issues" <[email protected]> >>> Sent: Thursday, March 13, 2008 2:30 PM >>> Subject: Re: Remote server won't allow management >>> >>> >>>> Going out on a limb but I know when I'm in this situation, I'll try >>>> just >>>> about anything to talk to a server I can "see" (bearing in mind the >>>> time/cost). What about running nmap against the system to see if port >>>> 135 >>>> (RPC) or any others are, in fact open? Anyone have a copy of Blaster >>>> for >>>> David :-) >>>> >>>> On the 13/03/2008 19:18, David W. McSpadden wrote the following: >>>>> All of the ps tools come back unable to connect. >>>>> ----- Original Message ----- From: "Peter van Houten" >>>>> <[EMAIL PROTECTED]> >>>>> To: "NT System Admin Issues" <[email protected]> >>>>> Sent: Thursday, March 13, 2008 12:53 PM >>>>> Subject: Re: Remote server won't allow management >>>>> >>>>> >>>>>> Thanks to Mark R. once again: >>>>>> >>>>>> psexec \\computername -i "shutdown -r -t 1" >>>>>> >>>>>> or if you *really* want to shut down no matter what: >>>>>> >>>>>> pskill -t \\computername svchost.exe >>>>>> >>>>>> which will kill most instances of the generic host process and >>>>>> consequently restart the machine. But as James pointed out, the >>>>>> integrity of the RPC channel must be intact. >>>>>> >>>>>> I have experienced the frustration of being able to ping a system but >>>>>> not being able to communicate in any other way else. This idea would >>>>>> be >>>>>> useful if one could implement it in Windows: >>>>>> >>>>>> http://www.securiteam.com/tools/5GP071FG0Q.html >>>>>> >>>>>> >>>>>>> *From:* Rankin, James R [mailto:[EMAIL PROTECTED] *Sent:* 13 >>>>>>> March >>>>>>> 2008 11:38 *To:* NT System Admin Issues *Subject:* RE: Remote server >>>>>>> won't allow management >>>>>>> >>>>>>> If it won¹t take a remote shutdown command (from the ResKit), then >>>>>>> it >>>>>>> is probably out of reach. Most stuff relies on some form of RPC >>>>>>> communication. I sometimes use pskill to kill the winlogon process >>>>>>> which generally makes it bluescreen, but this may not work either in >>>>>>> diagnostic mode >>>>>>> >>>>>>> ------------------------------------------------------------------------ >>>>>>> >>>>>>> >>>>>>> >>>>>>> *From:* David W. McSpadden [mailto:[EMAIL PROTECTED] *Sent:* 13 March >>>>>>> 2008 11:30 *To:* NT System Admin Issues *Subject:* Re: Remote server >>>>>>> won't allow management >>>>>>> >>>>>>> Nope. >>>>>>> >>>>>>> ----- Original Message ----- >>>>>>> >>>>>>> *From:* Rankin, James R <mailto:[EMAIL PROTECTED]> *To:* NT >>>>>>> System Admin Issues <mailto:[email protected]> >>>>>>> *Sent:* Thursday, March 13, 2008 7:29 AM *Subject:* RE: Remote >>>>>>> server >>>>>>> won't allow management >>>>>>> >>>>>>> Take it it doesn¹t have a DRAC/RIB/ILO installed? >>>>>>> >>>>>>> ------------------------------------------------------------------------ >>>>>>> >>>>>>> >>>>>>> >>>>>>> *From:* David W. McSpadden [mailto:[EMAIL PROTECTED] *Sent:* 13 March >>>>>>> 2008 11:20 *To:* NT System Admin Issues *Subject:* Remote server >>>>>>> won't >>>>>>> allow management >>>>>>> >>>>>>> I have a remote server I would like to get into but is was last >>>>>>> restarted in Diag mode from MSCONFIG. >>>>>>> >>>>>>> There is no one at the remote site. Is there a way to get it >>>>>>> unstuck? >>>>>>> >>>>>>> I can ping it but that is all. > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > ______________________________________________________________________ > This email has been scanned by the MessageLabs Email Security System. > For more information please visit http://www.messagelabs.com/email > ______________________________________________________________________ > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
