| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <9E97F0997FB84D42B221B9FB203EFA2717147C@dc1ms2.msad.brookshires.net> From: toddtowles at brookshires.com (Todd Towles) Subject: unknown backdoor: 220 StnyFtpd 0wns j0 Could be a variant of the Win32/kibuv.b worm http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KIB UV.B&VSect=T Maybe it scans for the LSASS buffer overflow. Is there a FTP server on 7955? a backdoor on 420? This worm also tries to connect to a IRC channel via port 6667 ________________________________ From: full-disclosure-admin@...ts.netsys.com [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Ryan Sumida Sent: Thursday, September 23, 2004 12:42 PM To: full-disclosure@...ts.netsys.com Subject: [Full-Disclosure] unknown backdoor: 220 StnyFtpd 0wns j0 I've been finding a few compromised Windows systems on our campus that have a random port open with a banner of "220 StnyFtpd 0wns j0". All the systems seem to be doing SYN scans on port 445 and LSASS buffer overflow attempts. Anyone know what worm/bot is doing this? I don't have access to these machines so I can only get a network view of what the systems are doing. Thanks, Ryan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040923/fd19fe70/attachment.html
Powered by blists - more mailing lists