[unisog] Apparent spread of LSASS exploitation

Brian Eckman eckman at umn.edu
Wed Apr 28 17:15:31 GMT 2004

Lang, Michael wrote:
> I believe so, hard to tell because I have ACL's that block 135,445.  I saw a boat load of 1025...
> - Mike


Do you have any evidence that it was trying to specifically exploit the 
LSASS flaw, and not something else that might listen on 1025/tcp? 
Polybot has been targeting 1025/tcp for months, well before MS04-011 was 
known. I believe it was either MS03-001 or MS03-049 that it was trying 
to exploit over that port.

It's important to differentiate, as if it is targeting the LSASS flaw, 
then a bunch of us on this list would love to have a copy. If it's just 
targetting 1025/tcp, it's likely not of interest.

Please send a copy to me if you have time. A password protected ZIP file 
is preferred.


> -----Original Message-----
> From: Gary Flynn [mailto:flynngn at jmu.edu]
> Sent: Wednesday, April 28, 2004 12:56 PM
> To: UNIversity System Operators Group Mailing list
> Cc: Lang, Michael
> Subject: Re: [unisog] Apparent spread of LSASS exploitation
> Lang, Michael wrote:
>>I have it and sent a copy to ISC, I can send a copy to anyone who wants it.
>>Symantec detects it as W32.Gaobot.AFJ in the liveupdate released within the hour.
> Do you know if it scans port 135 or 445 like previous versions?
> The reason I ask is that is how I'm detecting and quarantining
> infected computers.
> thanks,
> Gary Flynn
> Security Engineer
> James Madison University
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

"There are 10 types of people in this world. Those who
understand binary and those who don't."

More information about the unisog mailing list