Re: lsass.exe is missing on our w2k server and cannot be restored

From: Shannon Jacobs (shanen_at_my-deja.com)
Date: 05/18/04

  • Next message: Merrick: "Windows 2000 users accounts get locked out"
    Date: Tue, 18 May 2004 15:40:58 +0900
    
    

    Hmm... I hope this isn't related to what I discovered on a friend's machine
    recently. There were two versions of LSASS present, and one of them was a
    Trojan. As usual, when I'm desperately tinkering around without really
    understanding, I can't recall all of what I did, though I nearly lost the
    "patient" when I was dinging on the wrong (actually the legitimate) LSASS.
    In her case, it should be rebuild-the-universe time, but she can't remember
    where she left the keys, as the sad joke goes. Probably not useful details,
    but I recall that the Trojan was much larger than the real thing, and it was
    located in a strange directory tree. The file date was strange, too, but
    that may have been part of a deliberate disguise.

    If there is (or was) a Trojan involved, that could obviously explain some of
    the problems you reported.

    Dominik wrote:
    > Hi all,
    >
    > I have a w2k sp4 server running with exchange. some weeks ago (before
    > sasser!) the server started behaving strangely. (=> taskmgr.exe eats
    > far too much cpu-time, server freezes when we terminated any process
    > via taskmgr.exe, services just stop at random, tlntsvr.exe running ...
    > ) so we took a closer look.
    >
    > we found out that the windows-update KB835732 couln't be applied. the
    > update says, that lsass.exe has to be present in order to install the
    > update.
    >
    > well we thought it was present... but as it turned out, no lsass.exe
    > could be found anywhere on our system. so we tried to copy the file
    > from an other w2k server to the place where it belongs.
    >
    > this seemed to work but when we took a look at the directory,
    > lsass.exe was gone. so we tried again, this time we got an error
    > saying that the file with the specified name already exists and that
    > we cannot replace it (as admin in safe mode!!)
    >
    > we rebooted the system with knoppix and found out, that lsass.exe was
    > right in place all the time, but apparently somehow hidden from the
    > w2k-filesystem.
    >
    > we further found out that it is impossible to create a file with the
    > name lsass.exe anywhere on our system at all => same symptoms as
    > described above.
    >
    > does anyone have a clue what's going on on our server?!
    >
    > thanx for your help.
    >
    > dominik
    >
    > PS we checked version, date and size of any file running as a process,
    > disabled the telnet-server and checked dozens of .com, .dll,
    > .exe-files if they are the correct version. => no change, still unable
    > to create lsass.exe


  • Next message: Merrick: "Windows 2000 users accounts get locked out"

    Relevant Pages

    • Re: lsass.exe is missing on our w2k server and cannot be restored
      ... "patient" when I was dinging on the wrong LSASS. ... but I recall that the Trojan was much larger than the real thing, ... > from an other w2k server to the place where it belongs. ... > PS we checked version, date and size of any file running as a process, ...
      (microsoft.public.win2000.general)
    • Re: Ilomo trojan-regscan- how do I zap this thing?
      ... gotten rid of it or not. ... and rings you find here and there about getting rid of this Trojan and you ... are no renamed Windows files on that server that will open it up as soon ... message saying they are in use and new temp files immediately appear with ...
      (microsoft.public.win2000.general)
    • Re: Lsass 100% every 5-7 days
      ... SQL Server 7, SP4 and ... >> | get server errors about memory and it reboots ... >> The latest version of Lsass was released with update ... >> Support Services phone numbers and information about ...
      (microsoft.public.win2000.general)
    • RE: Trojan? DDOS Bot?
      ... the run keys, and either system.ini or win.ini has a load and a run setting ... operational components for the server. ... which is any standard program with a hidden trojan payload. ... internet a connection from local port 1026 to port 6667 ...
      (Incidents)
    • Re: Firewall, anti-virus, and port forwarding
      ... trojan is something that comes with something else. ... To exploit "a port" you must have a server running on a port which has a ... sends for example a specially crafted message to the server which causes ... attacker does not get access to your system unless there is something ...
      (comp.security.firewalls)