Full Disclosure mailing list archives

Re: ftp worm ?

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 16 Jan 2004 13:23:07 +1300

Robert Perriero <perrieror1 () mail montclair edu> wrote:

I would be willing to bet that this is a modified "pub scanner". Similar 
to the apache exploit posted, it appears as if it attempts to connect to 
machines using known user accounts and passwords. It probably isn't a 
worm, but rather someone behind a keyboard attempting to find a place to 
store warez.


Your knowledge of pubstro is a tad out of date.  Many pubstro kits 
have, for ages, included various kinds of vulnerability scanners.  More 
recently (like at least 18 months ago?) semi-automatic "find the next 
victim" features were also being added to some pubstro kit, culminating 
in at least some fully automated, self-spreading pubstro agents.

In most people's mind, that makes them worms...

I agree that the detects could be evidence of such scanning.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

ftp worm ? Mike Tancsa (Jan 06)
- Re: ftp worm ? daniel uriah clemens (Jan 06)
- Re: ftp worm ? Robert Perriero (Jan 15)
- Re: ftp worm ? Robert Perriero (Jan 15)
  - Re: ftp worm ? Nick FitzGerald (Jan 15)