Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Randy Brick MacKenna
July 31, 2007, 3:28 pm
rate this thread
request was coming in to execute lsass.exe from a UDP connection on
port 4500. I blocked it, and the log shows this:
Inbound UDP packet.
Local address,service is (RMACKENNA(xxx.xx.xxx.xxx),4500).
Remote address,service is (xxx.xx.xxx.xxx,4500).
Process name is "C:\WINDOWS\system32\lsass.exe".
I redacted the actual IP addresses here, for privacy -- but my address
is on an internal network within my corporation, and is not (I
thought) exposed to the outside world -- we have hardware firewalls in
place. The remote IP address resolved to a user in some other company
-- I recognize the company but have never dealt with them as part of
My virus scan returns nothing.
Do I have something to worry about regarding this event?
Re: Someone is asking for LSASS.EXE via UDP -- is this bad?
Very old exploit. Obviously, the owner of the machine is someone with
Windows 2000 or XP without Service Pack 2. Several worms used this
trick, the most notorius of them being the Sasser worm. Other bot worms
adopted this method, especialls SDbot and RBot, as well as Zotob.
ignorance can be fixed. stupidity is life-long.
(jshdude in alt.comp.anti-virus)
- » Re: Kaspersky fucks up AGAIN! - RegCure makes it worse !!!!!
- — Previous thread in » Anti-Virus Software