Educause Security Discussion mailing list archives
Slammed by the SASSER?
From: Monte Schmeiser <MSchmeiser () MARYMOUNTPV EDU>
Date: Thu, 7 Oct 2004 22:14:24 -0700
I am stumped. Our network has been slammed by a virus for the last two days. It is wreaking havoc. We have not been able to zero in on the source and I would like ANY advice anyone could give us. I apologize for the length of this email but want to give as much info as possible. Our Network Hardware-based firewall Switched Network 200 workstation running Windows XP Professional External DNS server running Windows NT Internal DNS server running Windows 2000 Backup internal DNS server running Windows 2000 Active Directory server running Windows 2000 Backup Acitve Directory server running Windows 2000 Exchange 2000 Email server w\SP3 Novell 5.0 file server Web Server running IIS 5.0 SQL Server 2000 Day One (morning) Help desk calls began coming in with people reporting that when attempting to log into the network (Novell) they were either getting an error (Windows unspecified error) or they could log in but once they did, they would get a countdown popup saying their system would shut down in 60 seconds. Our web server was getting slammed by a "generic denial of service" attack. This was reported by our entercept HIDS software. This server is the only one on our network that is open to HTTP traffic via our firewall. EVERYTHING else is locked down from the outside world except for our email server. By the symptoms we concluded that we were dealing with the Sasser worm. What was confusing was that we are running Symantec Corporate antivirus and all of our workstations were up to date as far as definitions go. If it was the worm, why was Symantec not catching it? We had our users shut down their workstations. We noticed that our internal backup DNS server's LSASS.EXE service was running very high CPU levels. So we shut it down. We shut down our IIS server. The servers running AD were also getting slammed which was then causing our Exchange server to hang. We decided to bring everything down. We then went one by one through our servers and scanned each one. We started the task of cleaning up workstations across campus. We were also seeing numerous machines infected with the worm.32 virus. We do not have patch management software. We began patching our systems with the microsoft vulnerability patch for LSASS. We were able to bring our systems online last night. DAY 2 Today, many people were still reporting login errors and computers automatically shutting down. It is going to take a lot of time going to each computer to apply patches manually. Email Problem rears its head Today we started getting reports that users could not connect to the Exchange server using Outlook. Two scenarios were being reported, when attempting to open Outlook, program would hang, no login OR login would appear, user would log in, and then get a message reporting that the Exchange server could not be reached. This was happening on computers that had been infected but then cleaned and patched. The strange thing is that we have other workstations on campus that had been infected, cleaned and patched, and they could log in to their Exchange email. Does anyone have any initial thoughts on what might be going on and how we should attack this problem. At this point we are just going to continue cleaning and patching workstations but are stumped with the Exchange problem. I am also frustrated as to why our Symantec antivirus did not detect these worms since they are not new. All of our desktops are up to date with definitions, but people are still reporting virus problems associated with SASSER, we think. The symptoms look like its SASSER but also a little like the LOVESAN virus. But again, we are not getting alerts on these computers from Symantec. Thanks for any help or advice you may have. Monte Schmeiser Institutional Technology Marymount College mschmeiser () marymountpv edu
Current thread:
- Slammed by the SASSER? Monte Schmeiser (Oct 07)
- <Possible follow-ups>
- Re: Slammed by the SASSER? Eric Pancer (Oct 07)
- Re: Slammed by the SASSER? Monte Schmeiser (Oct 07)
- Re: Slammed by the SASSER? James Riden (Oct 08)