On 25/05/05, mike king <[EMAIL PROTECTED]> wrote: > this is not at all uncommon. so chances are its the same program just tweaked.
Thanks Mike. Another point: on some machines infected by the same nasty beast, there is a second FTP server on a high port. The banners look like ProFTPD (with miscellaneous version numbers) but the servers are probably not ProFTPD: they allow commands before login, and answer to a limited set of commands and freeze on common things like "cd .." Anybody have seen this? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
