[unisog] Full-on LSASS worm? [was: Apparent spread of LSASS
lists at itsecurity3.its.uiowa.edu
Fri Apr 30 12:59:26 GMT 2004
How are you detecting these infected machines. Are you watching for
outbound traffic, doing some type of snort sig, or something else.
I've built a snort sig based on some of the packet caps posted here in
the last couple days but I have only seen a small number of machine
on campus that match. Makes me think were missing something.
Julian Y. Koh wrote:
> At 14:27 -0500 4/29/2004, David Ressman wrote:
>>>In the last two hours, we've seen a bunch of hosts all start scanning
>>>out for ports 2745, 135, 1025, 445, 80, 3127, 139, 1433, and 5000.
> We've got a large outbreak of that here. Most of the machines appear to have
> some variant of Gaobot. The latest, I believe, is Gaobot.AFJ according to
Sr. Security Analyst
The University of Iowa
More information about the unisog