| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20040923180011.99303.qmail@web51502.mail.yahoo.com> From: keydet89 at yahoo.com (Harlan Carvey) Subject: unknown backdoor: 220 StnyFtpd 0wns j0 Ryan, > I've been finding a few compromised Windows systems > on our campus that > have a random port open with a banner of "220 > StnyFtpd 0wns j0". All the > systems seem to be doing SYN scans on port 445 and > LSASS buffer overflow > attempts. Anyone know what worm/bot is doing this? > I don't have access > to these machines so I can only get a network view > of what the systems are doing. If you don't have access to the machines, I'm not sure how you'd expect to determine what's going on beyond doing a Google search. For example, I did a Google search on "StnyFtpd" and came up with: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KIBUV.B&VSect=T http://www.bgsu.edu/offices/its/security/advisories/BGSU2004-08-27.html There are a couple of other sites in foreign languages. However, given that your situation involves random ports, rather than a specific port (ie, 7955), this may be a new variant. Since I'm sure you've already done a Google search, or some other search of your own, and likely already considered the same information I presented above, it's clear to me that you then decided that this wasn't helpful at all, perhaps given some other information that you have available, but cannot, for some reason, share.
Powered by blists - more mailing lists