[unisog] Full-on LSASS worm? [was: Apparent spread of LSASS exploitation]

Jason Alexander lists at itsecurity3.its.uiowa.edu
Fri Apr 30 12:59:26 GMT 2004


Julian,

How are you detecting these infected machines.  Are you watching for 
outbound traffic, doing some type of snort sig, or something else.
I've built a snort sig based on some of the packet caps posted here in 
the last couple days but I have only seen a small number of machine
on campus that match.  Makes me think were missing something.

Jason

Julian Y. Koh wrote:
> At 14:27 -0500 4/29/2004, David Ressman wrote:
> 
>>>Greetings,
>>>
>>>In the last two hours, we've seen a bunch of hosts all start scanning
>>>out for ports 2745, 135, 1025, 445, 80, 3127, 139, 1433, and 5000.
> 
> 
> We've got a large outbreak of that here.  Most of the machines appear to have
> some variant of Gaobot.  The latest, I believe, is Gaobot.AFJ according to
> Symantec.
> 
> 


-----
Jason Alexander
Sr. Security Analyst
The University of Iowa














More information about the unisog mailing list