RE: unknown backdoor: 220 StnyFtpd 0wns j0

["Fowler, Mike" <mike.fowler () guidancesoftware com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_K
IBUV.B&VSect=T
 
 
 

Mike 

 

________________________________

From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Ryan
Sumida
Sent: Thursday, September 23, 2004 10:42 AM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] unknown backdoor: 220 StnyFtpd 0wns j0



I've been finding a few compromised Windows systems on our campus
that have a random port open with a banner of "220 StnyFtpd 0wns j0".
 All the systems seem to be doing SYN scans on port 445 and LSASS
buffer overflow attempts.  Anyone know what worm/bot is doing this? 
I don't have access to these machines so I can only get a network
view of what the systems are doing. 

Thanks, 

Ryan

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQVMggXM87JWv+p9GEQKhlACgg5Bu7/7oNot2mojru42n4arvvtwAoK92
vCQLsHX37i7hK4P5vwMgrScD
=rLJ1
-----END PGP SIGNATURE-----
 
Note: The information contained in this message may be privileged and  
confidential and thus protected from disclosure. If the reader of this  
message is not the intended recipient, or an employee or agent responsible  
for delivering this message to the intended recipient, you are hereby  
notified that any dissemination, distribution or copying of this  
communication is strictly prohibited.  If you have received this  
communication in error, please notify us immediately by replying to the  
message and deleting it from your computer.  Thank you.

Attachment: PGPexch.rtf.pgp
Description: PGPexch.rtf.pgp