look through the snort mailing lists or through the cvs rules, both have rules for the lsass exploit.
On Wed, 28 Apr 2004 23:22:09 -0500, Chris Scott <[EMAIL PROTECTED]> wrote: > > Does anyone have snort sigs or any means of defending against the worms that > are exploiting this? Several acquaintances of mine which work for edu's are > reporting their networks being affected by this in a big way. They have 2k > machines which apparently broke when applied with the MS04-011 patch. > > Am I correct in saying that LSASS cannot be disabled completely because the > Security Accounts Manager service which uses LSASS is required for normal > operation of Windows? > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Tuesday, April 27, 2004 10:36 PM > To: [EMAIL PROTECTED] > Subject: RE: [Full-Disclosure] LSASS exploit win32 binary > > for those who are testing... a "shutdown -a" will stop it shutting down > although a manual shutdown after that displays a "You do not have > permission to shut down this computer." > > tested it on 3 xp boxes without appropriate patch, all crashed. > > |---------+--------------------------------------> > | | "Chris Scott" | > | | <[EMAIL PROTECTED]> | > | | Sent by: | > | | [EMAIL PROTECTED]| > | | .netsys.com | > | | | > | | | > | | 28/04/2004 01:00 PM | > | | | > |---------+--------------------------------------> > > >--------------------------------------------------------------------------- > -----------------------------------| > | > | > | To: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> > | > | cc: > | > | Subject: RE: [Full-Disclosure] LSASS exploit win32 binary > | > > >--------------------------------------------------------------------------- > -----------------------------------| > > Tested against Windows XP Pro without the appropriate patch, it crashes the > service and initiates a shutdown timer. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Tuesday, April 27, 2004 6:24 PM > Subject: [Full-Disclosure] LSASS exploit win32 binary > > hi kids. > here's the compiled version of LSASS exploit from k-otik ... > http://users.volja.net/exceed/RLsasrv.zip > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
