Re: new IIS worm? (rcp lsass.exe)

• Previous message: H. Morrow Long: "New variants of Slapper worm using UDP ports other than 2002 today -- 1978 and 4156 -- (and they were apparently active yesterday as well)"
• In reply to: Christian Mock: "new IIS worm? (rcp lsass.exe)"
• Next in thread: Mike Lewinski: "Re: new IIS worm? (rcp lsass.exe)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 23 Sep 2002 01:18:14 +0200
From: Björn Wallentinus <bjorn.wallentinus@abc.se>
To: incidents@securityfocus.com

Christian Mock wrote:

> As a search of google and securityfocus turned up nothing, I'll throw in
> what I gathered so far and ask if anybody can identify this: (it seems
> the affected customer's systems weren't vulnerable, so I don't know what
> the worm's further actions are).

Hi,
I saw this thing a few days ago (ca 21 UTC 2002-09-20) but that was the
only time I've ever seen it so I belived it was just some home made
script.

I can confirm the slow scanning it does. It hit two of our customers
seven times during approximately two hours. These two customers are on
the same C net so I guess the attacks were part of the same scan.

The attacker was based in Korea and tried to retrieve the lsass.exe file
from NJ, USA.

Regards
Björn Wallentinus
ProAct Defcom Onguard 24

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Previous message: H. Morrow Long: "New variants of Slapper worm using UDP ports other than 2002 today -- 1978 and 4156 -- (and they were apparently active yesterday as well)"
• In reply to: Christian Mock: "new IIS worm? (rcp lsass.exe)"
• Next in thread: Mike Lewinski: "Re: new IIS worm? (rcp lsass.exe)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages GPS your bike for shipping - cool ... Milwaukee-Based Motorcycle Shipper Integrates GPS Tracking System ... customers to track their shipment online. ... (rec.motorcycles.dirt) RE: New scanner? ... 718 attacks of those types, in that number, in that order. ... instances of WEB-IIS multiple decode attempt ... This list is provided by the SecurityFocus ARIS analyzer service. ... and tracking system please see: http://aris.securityfocus.com ... (Incidents) Re: increased attacks on port 2599 ... All I see are SYN packets...where are the 'attacks' ... > attacks @ port 2599... ... For more information on this free incident handling, ... and tracking system please see: http://aris.securityfocus.com ... (Incidents) Re: OpenSSH - Dictionary Attacks ... Because we have a fairly secure password procedure ... If the customers log in from fixed other machines, ... your policies work and are detering attacks. ... (comp.security.ssh) Re: Octane Controversy ... > The blaming and attacks on Borland's customers for having a normal ... > customer's response to this, ... I don't see anyone attacking customers for being concerned about the ... mainly because most people here (including TeamB members) are ... (borland.public.delphi.non-technical)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint