[unisog] Apparent spread of LSASS exploitation

Peter Van Epp vanepp at sfu.ca
Thu Apr 29 03:29:41 GMT 2004


	Looks like it has gone mainstream as of about noon today. Between noon
(PDT) and now we lost some 7 machines. In all cases argus saw this (which is
probably after the initial infection by an on campus host):

28 Apr 04 12:27:01    tcp   142.58.xxx.yy.1031   ->     65.75.181.220.8080  11
     10        1101         4241        EST
28 Apr 04 12:27:01    tcp   65.75.181.220.60570  ->     142.58.xxx.yy.113   5
     4         351          303         FIN

	So a quick block of 65.75.181.220 at the border router with logging
finds any new hosts that get infected (the initial 6 hosts were caught because
of port 135 scans outbound and I expect that will be true of new control hosts
too). I've given the owner of this machine a heads up that the machine is 
probably toast. This is typical of one or another of the viri (usually for 
spamming) a control channel on identd (port 113) is established to control 
the infected host.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada



More information about the unisog mailing list