Full Disclosure mailing list archives
Re: unknown backdoor: 220 StnyFtpd 0wns j0
From: "mike king" <ngiles () hushmail com>
Date: Thu, 23 Sep 2004 11:59:46 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Couple things to look for. 1.connections to IRC 2.are the names in the IRC connection random and look generated 3.time intervals 4.does it appear that the machines on the network are getting patched if you run a vuln scanner against them and once reported vuln? This should point you towards if its a bot/ worm. A lot of the bots use the lsass vuln. best of luck. giles On Thu, 23 Sep 2004 10:42:13 -0700 Ryan Sumida <rsumida () csulb edu> wrote:
I've been finding a few compromised Windows systems on our campus that have a random port open with a banner of "220 StnyFtpd 0wns j0". All the systems seem to be doing SYN scans on port 445 and LSASS buffer overflow attempts. Anyone know what worm/bot is doing this? I don't have access to these machines so I can only get a network view of what the systems are doing. Thanks, Ryan
timeĀ® is a trademark of UniverseĀ© Public use permited by fair use agreement ( copyright [NULL] ) -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkFTHWAACgkQUjm7xSZSd8G4MQCfaaDrN3OM2kYeAys2fLTMlceQJMcA oKxgR1ANxpZK6PrxKvxyLMfFwuZe =zS2x -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- unknown backdoor: 220 StnyFtpd 0wns j0 Ryan Sumida (Sep 23)
- Re: unknown backdoor: 220 StnyFtpd 0wns j0 Harlan Carvey (Sep 23)
- Re: unknown backdoor: 220 StnyFtpd 0wns j0 joe smith (Sep 23)
- Re: unknown backdoor: 220 StnyFtpd 0wns j0 Ryan Sumida (Sep 23)
- Re: unknown backdoor: 220 StnyFtpd 0wns j0 joe smith (Sep 23)
- Re: unknown backdoor: 220 StnyFtpd 0wns j0 Mike Iglesias (Sep 23)
- <Possible follow-ups>
- RE: unknown backdoor: 220 StnyFtpd 0wns j0 Todd Towles (Sep 23)
- Re: unknown backdoor: 220 StnyFtpd 0wns j0 mike king (Sep 23)
- RE: unknown backdoor: 220 StnyFtpd 0wns j0 Elliott, James (Sep 23)
- RE: unknown backdoor: 220 StnyFtpd 0wns j0 Fowler, Mike (Sep 23)
- RE: unknown backdoor: 220 StnyFtpd 0wns j0 Constantinidis, Alex (Sep 24)