Full Disclosure mailing list archives

Re: unknown backdoor: 220 StnyFtpd 0wns j0


From: Harlan Carvey <keydet89 () yahoo com>
Date: Thu, 23 Sep 2004 11:00:11 -0700 (PDT)

Ryan,

I've been finding a few compromised Windows systems
on our campus that 
have a random port open with a banner of "220
StnyFtpd 0wns j0".  All the 
systems seem to be doing SYN scans on port 445 and
LSASS buffer overflow 
attempts.  Anyone know what worm/bot is doing this? 
I don't have access 
to these machines so I can only get a network view
of what the systems are doing.

If you don't have access to the machines, I'm not sure
how you'd expect to determine what's going on beyond
doing a Google search.

For example, I did a Google search on "StnyFtpd" and
came up with:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KIBUV.B&VSect=T

http://www.bgsu.edu/offices/its/security/advisories/BGSU2004-08-27.html

There are a couple of other sites in foreign
languages.

However, given that your situation involves random
ports, rather than a specific port (ie, 7955), this
may be a new variant.  

Since I'm sure you've already done a Google search, or
some other search of your own, and likely already
considered the same information I presented above,
it's clear to me that you then decided that this
wasn't helpful at all, perhaps given some other
information that you have available, but cannot, for
some reason, share.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Current thread: