[Full-Disclosure] unknown backdoor: 220 StnyFtpd 0wns j0
Mike Iglesias
iglesias at draco.acs.uci.edu
Thu Sep 23 22:06:30 BST 2004
> I've been finding a few compromised Windows systems on our campus that
> have a random port open with a banner of "220 StnyFtpd 0wns j0". All the
> systems seem to be doing SYN scans on port 445 and LSASS buffer overflow
> attempts. Anyone know what worm/bot is doing this? I don't have access
> to these machines so I can only get a network view of what the systems are
> doing.
On the systems I saw with this ftp server running, I was able to download
an exe from it.
If I remember correctly, the ftp user was "1 1", with no password. The
executable I was able to download was wp32.exe, although this could change.
Mike Iglesias Email: iglesias at draco.acs.uci.edu
University of California, Irvine phone: 949-824-6926
Network & Academic Computing Services FAX: 949-824-2069
Full-Disclosure is hosted and sponsored by Secunia.