MS RPC LSASS Active Directory attacks on 1025/tcp

Clarke Morledge chmorl at
Tue Apr 27 02:26:04 GMT 2004

I started seeing some attacks based on the MS RPC LSASS Active Directory
attacks on 1025/tcp this afternoon (Monday) at 3:30 PM.  They originated
from several .edu's (from my vantage point).

By 8:00 PM this evening, I started seeing a significant increase in hits
for this vulnerability -- and an exponential number of new networks that
appear to have infected systems scanning us -- not just from .edu's

Snort sigs found here should pick this up, but train your port watching on

There might be other attack vectors.  I've talked with a few other folks
who are seeing this combined with Phatbot.

Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187

More information about the unisog mailing list