Christian Mock wrote: > As a search of google and securityfocus turned up nothing, I'll throw in > what I gathered so far and ask if anybody can identify this: (it seems > the affected customer's systems weren't vulnerable, so I don't know what > the worm's further actions are). Hi, I saw this thing a few days ago (ca 21 UTC 2002-09-20) but that was the only time I've ever seen it so I belived it was just some home made script. I can confirm the slow scanning it does. It hit two of our customers seven times during approximately two hours. These two customers are on the same C net so I guess the attacks were part of the same scan. The attacker was based in Korea and tried to retrieve the lsass.exe file from NJ, USA. Regards Björn Wallentinus ProAct Defcom Onguard 24 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Sep 22 2002 - 17:04:06 PDT