> I've been finding a few compromised Windows systems on our campus that > have a random port open with a banner of "220 StnyFtpd 0wns j0". All the > systems seem to be doing SYN scans on port 445 and LSASS buffer overflow > attempts. Anyone know what worm/bot is doing this? I don't have access > to these machines so I can only get a network view of what the systems are > doing.
On the systems I saw with this ftp server running, I was able to download an exe from it. If I remember correctly, the ftp user was "1 1", with no password. The executable I was able to download was wp32.exe, although this could change. Mike Iglesias Email: [EMAIL PROTECTED] University of California, Irvine phone: 949-824-6926 Network & Academic Computing Services FAX: 949-824-2069 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
