[Full-Disclosure] Increased TCP 139 Activity
Marc
marc at marcd.org
Thu Oct 9 12:24:20 BST 2003
Roxy is also known as 'Randex' We have seen some vendor laptops come in
infected with this. One 'undocumented' feature we have found related to this
is the presence of the serv-u ftp server listening on port 81 of these
machines.
>Message: 20
>Subject: RE: [Full-Disclosure] Increased TCP 139 Activity
>Date: Wed, 8 Oct 2003 10:57:26 -0500
>From: "Williams Jon" <WilliamsJonathan at JohnDeere.com>
>To: Full-Disclosure at lists.netsys.com
>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>I've had two machines act as if they were infected with something,
>one on Saturday, and then one on Monday. They each went through and
>tried to scan a whole Class B network (it failed, due to our
>firewalls) on ports 139 and 445, both ports per address, one packet
>per host. Each "infected" machine stopped when they reached the end
>of the Class B. Neither machine "selected" a network to scan that
>was related to their own IP address. Both machines scanned
>non-sequentially.
>
>Both machines were taken offline and scanned for viruses. Both
>showed positive for Blaster and one showed positive for a backdoor
>called Roxy(?). Both were cleaned and patched and reconnected, and
>we haven't seen another scan like that since, although we've been
>watching closely.
Full-Disclosure is hosted and sponsored by Secunia.