lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: ngiles at (mike king)
Subject: unknown backdoor: 220 StnyFtpd 0wns j0

Hash: SHA1

Couple things to look for.

1.connections to IRC
2.are the names in the IRC connection random and look generated
3.time intervals
4.does it appear that the machines on the network are getting patched
if you run a vuln scanner against them and once reported vuln?

This should point you towards if its a bot/ worm. A lot of the bots use
the lsass vuln.

best of luck. giles

On Thu, 23 Sep 2004 10:42:13 -0700 Ryan Sumida <> wrote:
>I've been finding a few compromised Windows systems on our campus
>have a random port open with a banner of "220 StnyFtpd 0wns j0".
> All the
>systems seem to be doing SYN scans on port 445 and LSASS buffer
>attempts.  Anyone know what worm/bot is doing this?  I don't have
>to these machines so I can only get a network view of what the systems

timeŽ is a trademark of UniverseŠ
Public use permited by fair use agreement ( copyright [NULL] )
Note: This signature can be verified at
Version: Hush 2.4


Powered by blists - more mailing lists