Someone is asking for LSASS.EXE via UDP -- is this bad?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi, my firewall today on my office (work) computer told me that a
request was coming in to execute lsass.exe from a UDP connection on
port 4500.  I blocked it, and the log shows this:

Inbound UDP packet.
Local address,service is (RMACKENNA(,4500).
Remote address,service is (,4500).
Process name is "C:\WINDOWS\system32\lsass.exe".

I redacted the actual IP addresses here, for privacy -- but my address
is on an internal network within my corporation, and is not (I
thought) exposed to the outside world -- we have hardware firewalls in
place.  The remote IP address resolved to a user in some other company
-- I recognize the company but have never dealt with them as part of
my job.

My virus scan returns nothing.

Do I have something to worry about regarding this event?


Re: Someone is asking for LSASS.EXE via UDP -- is this bad?

On this special day, Randy Brick MacKenna wrote:

Quoted text here. Click to load it

Very old exploit. Obviously, the owner of the machine is someone with
Windows 2000 or XP without Service Pack 2. Several worms used this
trick, the most notorius of them being the Sasser worm. Other bot worms
adopted this method, especialls SDbot and RBot, as well as Zotob.

Gabriele Neukam

ignorance can be fixed. stupidity is life-long.
(jshdude in alt.comp.anti-virus)

Site Timeline