RE: [Full-Disclosure] unknown backdoor: 220 StnyFtpd 0wns j0
It sounds like the KIBUV.B worm http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KIBUV.B&VSect=T Regards, Alex -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Ryan SumidaSent: 23 September 2004 18:42To: [EMAIL PROTECTED]Subject: [Full-Disclosure] unknown backdoor: 220 StnyFtpd 0wns j0I've been finding a few compromised Windows systems on our campus that have a random port open with a banner of "220 StnyFtpd 0wns j0". All the systems seem to be doing SYN scans on port 445 and LSASS buffer overflow attempts. Anyone know what worm/bot is doing this? I don't have access to these machines so I can only get a network view of what the systems are doing. Thanks, Ryan == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
Re: [Full-Disclosure] unknown backdoor: 220 StnyFtpd 0wns j0
You can try scanning it if you have the file. http://virusscan.jotti.dhs.org Ryan Sumida wrote: Thank you all for the help, I definitily appreciate it. The last system I checked had ftp running on port 15708 which makes me believe it is not the WORM_KIBUV.B but a similar variant. Sorry for the unnecessary post, I googled the whole string which didn't come back with anything. I should have just googled "StnyFtpd". Thanks again, Ryan [EMAIL PROTECTED] wrote on 09/23/2004 10:42:13 AM: > > I've been finding a few compromised Windows systems on our campus that > have a random port open with a banner of "220 0wns j0". All > the systems seem to be doing SYN scans on port 445 and LSASS buffer > overflow attempts. Anyone know what worm/bot is doing this? I don't > have access to these machines so I can only get a network view of what > the systems are doing. > > Thanks, > > Ryan ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] unknown backdoor: 220 StnyFtpd 0wns j0
> I've been finding a few compromised Windows systems on our campus that > have a random port open with a banner of "220 StnyFtpd 0wns j0". All the > systems seem to be doing SYN scans on port 445 and LSASS buffer overflow > attempts. Anyone know what worm/bot is doing this? I don't have access > to these machines so I can only get a network view of what the systems are > doing. On the systems I saw with this ftp server running, I was able to download an exe from it. If I remember correctly, the ftp user was "1 1", with no password. The executable I was able to download was wp32.exe, although this could change. Mike Iglesias Email: [EMAIL PROTECTED] University of California, Irvine phone: 949-824-6926 Network & Academic Computing Services FAX: 949-824-2069 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] unknown backdoor: 220 StnyFtpd 0wns j0
Thank you all for the help, I definitily appreciate it. The last system I checked had ftp running on port 15708 which makes me believe it is not the WORM_KIBUV.B but a similar variant. Sorry for the unnecessary post, I googled the whole string which didn't come back with anything. I should have just googled "StnyFtpd". Thanks again, Ryan [EMAIL PROTECTED] wrote on 09/23/2004 10:42:13 AM: > > I've been finding a few compromised Windows systems on our campus that > have a random port open with a banner of "220 0wns j0". All > the systems seem to be doing SYN scans on port 445 and LSASS buffer > overflow attempts. Anyone know what worm/bot is doing this? I don't > have access to these machines so I can only get a network view of what > the systems are doing. > > Thanks, > > Ryan
RE: [Full-Disclosure] unknown backdoor: 220 StnyFtpd 0wns j0
Title: RE: [Full-Disclosure] unknown backdoor: 220 StnyFtpd 0wns j0 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_K IBUV.B&VSect=T Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ryan Sumida Sent: Thursday, September 23, 2004 10:42 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] unknown backdoor: 220 StnyFtpd 0wns j0 I've been finding a few compromised Windows systems on our campus that have a random port open with a banner of "220 StnyFtpd 0wns j0". All the systems seem to be doing SYN scans on port 445 and LSASS buffer overflow attempts. Anyone know what worm/bot is doing this? I don't have access to these machines so I can only get a network view of what the systems are doing. Thanks, Ryan -BEGIN PGP SIGNATURE- Version: PGP 8.0.3 iQA/AwUBQVMggXM87JWv+p9GEQKhlACgg5Bu7/7oNot2mojru42n4arvvtwAoK92 vCQLsHX37i7hK4P5vwMgrScD =rLJ1 -END PGP SIGNATURE- Note: The information contained in this message may be privileged and confidential and thus protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. PGPexch.rtf.pgp Description: PGPexch.rtf.pgp
Re: [Full-Disclosure] unknown backdoor: 220 StnyFtpd 0wns j0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Couple things to look for. 1.connections to IRC 2.are the names in the IRC connection random and look generated 3.time intervals 4.does it appear that the machines on the network are getting patched if you run a vuln scanner against them and once reported vuln? This should point you towards if its a bot/ worm. A lot of the bots use the lsass vuln. best of luck. giles On Thu, 23 Sep 2004 10:42:13 -0700 Ryan Sumida <[EMAIL PROTECTED]> wrote: >I've been finding a few compromised Windows systems on our campus >that >have a random port open with a banner of "220 StnyFtpd 0wns j0". > All the >systems seem to be doing SYN scans on port 445 and LSASS buffer >overflow >attempts. Anyone know what worm/bot is doing this? I don't have >access >to these machines so I can only get a network view of what the systems >are >doing. > >Thanks, > >Ryan time® is a trademark of Universe© Public use permited by fair use agreement ( copyright [NULL] ) -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkFTHWAACgkQUjm7xSZSd8G4MQCfaaDrN3OM2kYeAys2fLTMlceQJMcA oKxgR1ANxpZK6PrxKvxyLMfFwuZe =zS2x -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] unknown backdoor: 220 StnyFtpd 0wns j0
Could be a variant of the Win32/kibuv.b worm http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KIBUV.B&VSect=T Maybe it scans for the LSASS buffer overflow. Is there a FTP server on 7955? a backdoor on 420? This worm also tries to connect to a IRC channel via port 6667 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ryan SumidaSent: Thursday, September 23, 2004 12:42 PMTo: [EMAIL PROTECTED]Subject: [Full-Disclosure] unknown backdoor: 220 StnyFtpd 0wns j0 I've been finding a few compromised Windows systems on our campus that have a random port open with a banner of "220 StnyFtpd 0wns j0". All the systems seem to be doing SYN scans on port 445 and LSASS buffer overflow attempts. Anyone know what worm/bot is doing this? I don't have access to these machines so I can only get a network view of what the systems are doing. Thanks, Ryan
Re: [Full-Disclosure] unknown backdoor: 220 StnyFtpd 0wns j0
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KIBUV.B&VSect=T Ryan Sumida wrote: I've been finding a few compromised Windows systems on our campus that have a random port open with a banner of "220 StnyFtpd 0wns j0". All the systems seem to be doing SYN scans on port 445 and LSASS buffer overflow attempts. Anyone know what worm/bot is doing this? I don't have access to these machines so I can only get a network view of what the systems are doing. Thanks, Ryan ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] unknown backdoor: 220 StnyFtpd 0wns j0
Ryan- Looks like you have Kibuv_B http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KIBUV.B&VSect=T Take care- James From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ryan SumidaSent: Thursday, September 23, 2004 1:42 PMTo: [EMAIL PROTECTED]Subject: [Full-Disclosure] unknown backdoor: 220 StnyFtpd 0wns j0 I've been finding a few compromised Windows systems on our campus that have a random port open with a banner of "220 StnyFtpd 0wns j0". All the systems seem to be doing SYN scans on port 445 and LSASS buffer overflow attempts. Anyone know what worm/bot is doing this? I don't have access to these machines so I can only get a network view of what the systems are doing. Thanks, Ryan
Re: [Full-Disclosure] unknown backdoor: 220 StnyFtpd 0wns j0
Ryan, > I've been finding a few compromised Windows systems > on our campus that > have a random port open with a banner of "220 > StnyFtpd 0wns j0". All the > systems seem to be doing SYN scans on port 445 and > LSASS buffer overflow > attempts. Anyone know what worm/bot is doing this? > I don't have access > to these machines so I can only get a network view > of what the systems are doing. If you don't have access to the machines, I'm not sure how you'd expect to determine what's going on beyond doing a Google search. For example, I did a Google search on "StnyFtpd" and came up with: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KIBUV.B&VSect=T http://www.bgsu.edu/offices/its/security/advisories/BGSU2004-08-27.html There are a couple of other sites in foreign languages. However, given that your situation involves random ports, rather than a specific port (ie, 7955), this may be a new variant. Since I'm sure you've already done a Google search, or some other search of your own, and likely already considered the same information I presented above, it's clear to me that you then decided that this wasn't helpful at all, perhaps given some other information that you have available, but cannot, for some reason, share. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] unknown backdoor: 220 StnyFtpd 0wns j0
I've been finding a few compromised Windows systems on our campus that have a random port open with a banner of "220 StnyFtpd 0wns j0". All the systems seem to be doing SYN scans on port 445 and LSASS buffer overflow attempts. Anyone know what worm/bot is doing this? I don't have access to these machines so I can only get a network view of what the systems are doing. Thanks, Ryan