Full Disclosure mailing list archives
RE: Increased TCP 139 Activity
From: "Marc" <marc () marcd org>
Date: Thu, 9 Oct 2003 07:24:20 -0400
Roxy is also known as 'Randex' We have seen some vendor laptops come in infected with this. One 'undocumented' feature we have found related to this is the presence of the serv-u ftp server listening on port 81 of these machines.
Message: 20 Subject: RE: [Full-disclosure] Increased TCP 139 Activity Date: Wed, 8 Oct 2003 10:57:26 -0500 From: "Williams Jon" <WilliamsJonathan () JohnDeere com> To: Full-Disclosure () lists netsys com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've had two machines act as if they were infected with something, one on Saturday, and then one on Monday. They each went through and tried to scan a whole Class B network (it failed, due to our firewalls) on ports 139 and 445, both ports per address, one packet per host. Each "infected" machine stopped when they reached the end of the Class B. Neither machine "selected" a network to scan that was related to their own IP address. Both machines scanned non-sequentially. Both machines were taken offline and scanned for viruses. Both showed positive for Blaster and one showed positive for a backdoor called Roxy(?). Both were cleaned and patched and reconnected, and we haven't seen another scan like that since, although we've been watching closely.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Increased TCP 139 Activity Phathat (Oct 08)
- <Possible follow-ups>
- RE: Increased TCP 139 Activity Williams Jon (Oct 08)
- RE: Increased TCP 139 Activity Brown, Rodrick (Oct 08)
- RE: Increased TCP 139 Activity Ron DuFresne (Oct 08)
- Re: Increased TCP 139 Activity Valdis . Kletnieks (Oct 09)
- RE: Increased TCP 139 Activity Marc (Oct 09)
- RE: Increased TCP 139 Activity Choe.Sung Cont. PACAF CSS/SCHP (Oct 10)
- Re: RE: Increased TCP 139 Activity Andrew Simmons (Oct 10)