[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] ftp worm ?

To: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] ftp worm ?
From: Nick FitzGerald <nick@virus-l.demon.co.uk>
Date: Fri, 16 Jan 2004 13:23:07 +1300

Robert Perriero <perrieror1@mail.montclair.edu> wrote:

> I would be willing to bet that this is a modified "pub scanner". Similar 
> to the apache exploit posted, it appears as if it attempts to connect to 
> machines using known user accounts and passwords. It probably isn't a 
> worm, but rather someone behind a keyboard attempting to find a place to 
> store warez.

Your knowledge of pubstro is a tad out of date.  Many pubstro kits 
have, for ages, included various kinds of vulnerability scanners.  More 
recently (like at least 18 months ago?) semi-automatic "find the next 
victim" features were also being added to some pubstro kit, culminating 
in at least some fully automated, self-spreading pubstro agents.

In most people's mind, that makes them worms...

I agree that the detects could be evidence of such scanning.

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] ftp worm ?
  - From: Mike Tancsa <mike@sentex.net>
- Re: [Full-Disclosure] ftp worm ?
  - From: Robert Perriero <perrieror1@mail.montclair.edu>

Prev by Date: Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause
Next by Date: Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause
Previous by thread: Re: [Full-Disclosure] ftp worm ?
Next by thread: [Full-Disclosure] [SECURITY] [DSA 414-1] New jabber packages fix denial of service
Index(es):
- Date
- Thread