| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <hmhmck.53vhat@webmail1.hrnoc.net> From: marc at marcd.org (Marc) Subject: Increased TCP 139 Activity Roxy is also known as 'Randex' We have seen some vendor laptops come in infected with this. One 'undocumented' feature we have found related to this is the presence of the serv-u ftp server listening on port 81 of these machines. >Message: 20 >Subject: RE: [Full-Disclosure] Increased TCP 139 Activity >Date: Wed, 8 Oct 2003 10:57:26 -0500 >From: "Williams Jon" <WilliamsJonathan@...nDeere.com> >To: Full-Disclosure@...ts.netsys.com > > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >I've had two machines act as if they were infected with something, >one on Saturday, and then one on Monday. They each went through and >tried to scan a whole Class B network (it failed, due to our >firewalls) on ports 139 and 445, both ports per address, one packet >per host. Each "infected" machine stopped when they reached the end >of the Class B. Neither machine "selected" a network to scan that >was related to their own IP address. Both machines scanned >non-sequentially. > >Both machines were taken offline and scanned for viruses. Both >showed positive for Blaster and one showed positive for a backdoor >called Roxy(?). Both were cleaned and patched and reconnected, and >we haven't seen another scan like that since, although we've been >watching closely.
Powered by blists - more mailing lists