MS RPC LSASS Active Directory attacks on 1025/tcp

Clarke Morledge chmorl at wm.edu
Tue Apr 27 02:26:04 GMT 2004


I started seeing some attacks based on the MS RPC LSASS Active Directory
attacks on 1025/tcp this afternoon (Monday) at 3:30 PM.  They originated
from several .edu's (from my vantage point).

By 8:00 PM this evening, I started seeing a significant increase in hits
for this vulnerability -- and an exponential number of new networks that
appear to have infected systems scanning us -- not just from .edu's
anymore.

Snort sigs found here should pick this up, but train your port watching on
1025/tcp:

http://marc.theaimsgroup.com/?l=snort-sigs&m=108268090918254&w=2

There might be other attack vectors.  I've talked with a few other folks
who are seeing this combined with Phatbot.

Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187



More information about the unisog mailing list