Security Incidents mailing list archives

Re: new IIS worm? (rcp lsass.exe)

From: Björn Wallentinus <bjorn.wallentinus () abc se>
Date: Mon, 23 Sep 2002 01:18:14 +0200

Christian Mock wrote:

As a search of google and securityfocus turned up nothing, I'll throw in
what I gathered so far and ask if anybody can identify this: (it seems
the affected customer's systems weren't vulnerable, so I don't know what
the worm's further actions are).


Hi,
I saw this thing a few days ago (ca 21 UTC 2002-09-20) but that was the
only time I've ever seen it so I belived it was just some home made
script. 

I can confirm the slow scanning it does. It hit two of our customers
seven times during approximately two hours. These two customers are on
the same C net so I guess the attacks were part of the same scan.

The attacker was based in Korea and tried to retrieve the lsass.exe file
from NJ, USA.

Regards
Björn Wallentinus
ProAct Defcom Onguard 24

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

new IIS worm? (rcp lsass.exe) Christian Mock (Sep 22)
- Re: new IIS worm? (rcp lsass.exe) Björn Wallentinus (Sep 22)
- Re: new IIS worm? (rcp lsass.exe) Michael Thompson (Sep 23)
  - Re: new IIS worm? (rcp lsass.exe) Nick FitzGerald (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Mike Lewinski (Sep 23)
  - Re: new IIS worm? (rcp lsass.exe) Lasse Sundström (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Nick FitzGerald (Sep 23)
- <Possible follow-ups>
- Re: new IIS worm? (rcp lsass.exe) Mike Lewinski (Sep 23)
- Re: new IIS worm? (rcp lsass.exe) pj (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) Bellenger, Bruno (Paris) (Sep 24)
  - Slapper worm DoS james (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Mike Lewinski (Sep 24)

(Thread continues...)