February 27th, 2003, 07:37 PM
HELP! PLEASE!! How can I access a remote Win98 box?
Hi, Please help! I recently lost the dedicated data connection to one of my remote data-collection stations running basic Win98 (This machine is unmanned, and in an isolated location, so I can’t just have someone install “PC Anywhere” or something similar. Weather delays are preventing us from getting the line repaired, and I need to do a data pull on this machine. The machine still has an active connection to the Internet, and I have done a port-scan which reveals the standard ports as being open (80, 81, 82, 119, 389,1002, 1080, 1720), but after I attempted an HTTP://IP_Address:80, I got nothing. My predecessor didn't tell me about any firewalls, so I am stumped. I am a UNIX guy dumped into this by default. Is there anyway that I can connect to the machine through one of these open ports and access data on C:\? I had always assumed that a Windows box with open ports and an active ‘net connection was pretty much there for the taking, but darned if I can figure it out. If anyone can help, or point me to a site that will help, I would really appreciate it. Thanks, Dave
February 27th, 2003, 09:00 PM
Hrmm. It's interesting that there are some unusual ports open. Perhaps you should see what those ports hold open.
What exactly is this for and why use a Win98 box? Windows 98 isn't exactly server technology and certainly lacks the security that is needed, especially if it's "data-collection".
What is installed on it?
February 27th, 2003, 09:10 PM
(I feel this might be a legit cause...)
Based on the 389(ldap) and 1720(h323hostcall) ports, it seems to me it might be running netmeeting... you might be able to connect and use the remote desktop functionnality...
Port 82 is listed as Xfer utility, so it might help but I've never heard of such a program... Anyone?
What happens when you try to connect with your browser (on port 80 of course)?
Does telneting (to port 80) show anything (don't forget to send 2 returns to a server message)...
BTW, how's that host usually managed?
Credit travels up, blame travels down -- The Boss
February 27th, 2003, 09:14 PM
The machine in question is basically a dumb terminal. It takes feeds from several meteorological sensors (wind, temp, rain-fall), runs a couple of algorythms and then spits the info back down a dedicated line every six hours. (That is when the line isn't down 'cause of an ice-storm... something vaguley ironic about that isn't there?). As for the open ports, it is a bit unusual, but then the whole set-up is. It was cobbled together out of bits and pieces.... (Your tax dollars at work !!) and I just go thrown into the Sysadmin position for it a short time ago... never touched a Win98 box in my life.... Telnetting doesn't seem to get me anywhere (I understand Telnet is not an available feature on Win boxes by default?) and Doing an http:// to port 80 gets me "Connection closed by server" message
February 27th, 2003, 09:15 PM
That makes things a little bit tougher. It doesn't run the full suite of services that an NT box would be by default. Hence, less to exploit in an emergency. The ports you list as being open are pretty weird for a workstation. I mean....LDAP, Socks, and H323 stuff....wierd indeed. If you have access to a *nix box have you tried scanning it with nessus? It will link you to the known security exploits on those porst. You could also look on CERT for some of the exploits, but I don't know of anything right off the top of my head to try. Sorry.
edit---damn y'all type fast. I try to post and get three ahead of me before I can even get this half-baked answer articulated.
February 27th, 2003, 09:25 PM
81/tcp Name Server NS
82/tcp XFER Utility XFER
119/tcp Network News Transfer Protocol NNTP
389/tcp Lightweight Directory Access Protocol LDAP
1002 is unassigned as a standard TCP/UDP port Possible Application(s) = NetMeeting or another non-standard LDAP
1080 is a SOCKS protocol or proxy
1720 is another non-standard port but NetMeeting and GnomeMeeting use this as RDS (Remote Desktop Sharing) also a common DoS vulnerability port
February 27th, 2003, 09:32 PM
Thanks Xylinx for getting the Ports.
Off-hand, my first question is are you sure its a Win98 box?
Second, are you sure you have the right IP? Because none of those look like data collection ports (assuming standard databases).
Have you tried telnetting to each port to see what the response is (banner info)?
February 27th, 2003, 09:43 PM
Ok... I am 99.99847875572% positive that it is a Win 98 SE box. Apparently it was grabbed at the last minute when the original machine kacked and died about six months ago. The data flow was supposed to go out on port 1720 (I think). All the 'data-collection work' is done by a fairly basic script that was put together about 3-4 years ago. It has worked, so no one ever bothered to improve on it, as for security, there is none... even if you found it, there is nothing on it but met data for a relatively unihabited area up north.
February 27th, 2003, 09:46 PM
Unless there is some type of remote software on it.. I'm afraid yer dead in the water. Someone is gonna have to brave the "snot-freezing-in-your-nose" temperatures and get the data manually from the machine.
98 is definately not the serving out type of box. Also, there must be firewalls on this box or it's not Win98. Windows 98 ALWAYS has ports 135-139 open. Those aren't showing up in your scan.
February 27th, 2003, 09:54 PM
Ok, thanks all.. I guess worse comes to worst, I can stiff the boss for a couple of days travel and some gas & food money. Anyone wanna go for a three-hour snow-shoe? Thanks all, appreciate it, Dave