[unisog] Apparent spread of LSASS exploitation

Lang, Michael mike.lang at uconn.edu
Wed Apr 28 16:56:42 GMT 2004


I believe so, hard to tell because I have ACL's that block 135,445.  I saw a boat load of 1025...

- Mike

-----Original Message-----
From: Gary Flynn [mailto:flynngn at jmu.edu]
Sent: Wednesday, April 28, 2004 12:56 PM
To: UNIversity System Operators Group Mailing list
Cc: Lang, Michael
Subject: Re: [unisog] Apparent spread of LSASS exploitation


Lang, Michael wrote:

>I have it and sent a copy to ISC, I can send a copy to anyone who wants it.
>
>Symantec detects it as W32.Gaobot.AFJ in the liveupdate released within the hour.
>  
>
Do you know if it scans port 135 or 445 like previous versions?
The reason I ask is that is how I'm detecting and quarantining
infected computers.

thanks,

Gary Flynn
Security Engineer
James Madison University





More information about the unisog mailing list