Could
be a variant of the Win32/kibuv.b
worm
Maybe
it scans for the LSASS buffer overflow. Is there a FTP server on 7955? a
backdoor on 420?
This
worm also tries to connect to a IRC channel via port
6667
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ryan Sumida
Sent: Thursday, September 23, 2004 12:42 PM
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] unknown backdoor: 220 StnyFtpd 0wns j0
I've been finding a few compromised Windows systems on our campus that have a random port open with a banner of "220 StnyFtpd 0wns j0". All the systems seem to be doing SYN scans on port 445 and LSASS buffer overflow attempts. Anyone know what worm/bot is doing this? I don't have access to these machines so I can only get a network view of what the systems are doing.
Thanks,
Ryan
