lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: keydet89 at yahoo.com (Harlan Carvey)
Subject: unknown backdoor: 220 StnyFtpd 0wns j0

Ryan,

> I've been finding a few compromised Windows systems
> on our campus that 
> have a random port open with a banner of "220
> StnyFtpd 0wns j0".  All the 
> systems seem to be doing SYN scans on port 445 and
> LSASS buffer overflow 
> attempts.  Anyone know what worm/bot is doing this? 
> I don't have access 
> to these machines so I can only get a network view
> of what the systems are doing.

If you don't have access to the machines, I'm not sure
how you'd expect to determine what's going on beyond
doing a Google search.

For example, I did a Google search on "StnyFtpd" and
came up with:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KIBUV.B&VSect=T

http://www.bgsu.edu/offices/its/security/advisories/BGSU2004-08-27.html

There are a couple of other sites in foreign
languages.

However, given that your situation involves random
ports, rather than a specific port (ie, 7955), this
may be a new variant.  

Since I'm sure you've already done a Google search, or
some other search of your own, and likely already
considered the same information I presented above,
it's clear to me that you then decided that this
wasn't helpful at all, perhaps given some other
information that you have available, but cannot, for
some reason, share.


Powered by blists - more mailing lists