Sasser - Hosing NT4 too?
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Sasser - Hosing NT4 too?

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883

    Sasser - Hosing NT4 too?

    Although Microsoft is reporting the NT4 is not vulnerable to the LSASS vulnerability, I'm here to tell you otherwise. I have some NT4 servers that are loop rebooting due to LSASS crashing. Are there others out there seeing this behavior?
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Hoss: I don't have any NT4 servers left but it's my understanding of the worm that:-

    1. It's very badly written
    2. It can cause non-vulnerable systems to reboot even if they can't be exploited, it screws up LSASS anyway and the system just dumps.

    You may be seeing repeated attempts to exploit even though the exploit never "takes hold", your experiencing a D0S as an inadvertent result of the worm.

    As an aside..... Why do these systems have ports 445 or 139 exposed to the public network.... I have never managed to come up with a valid business reason for these being open to the public network, or RPC for that matter.... but there are so many boxes out there that get bitten by exploits running through them that someone must have a reason for them to be there......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    The security bulletin at MS has NT 4 listed in the MS04-011 patch 835732
    http://www.microsoft.com/security/se...04_windows.asp


    although the info on MS here says NT 4 SP6a machines are NOT affected???http://www.microsoft.com/security/incident/sasser.asp

    Very confusing....

    Maybe a variant that targets NT 4??

    Sorry cant be of more help

    mlf
    How people treat you is their karma- how you react is yours-Wayne Dyer

  4. #4
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152

    forgot something

    We recently upgraded to 2003 Server
    But when patching the NT4 machines...some patches (post sp 6)seemed to knock out other ones and then they needed to be reapplied...in a certain order to take
    maybe this is why you got bit??
    How people treat you is their karma- how you react is yours-Wayne Dyer

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Heya Tiger,


    Actually, none of the machines are internet-facing. These are all internal machines that got pounded after a rouge laptop was plugged into the inside.

    I went to look at the problem because it made no sense to me why LSASS would be crashing, especially when port 445 is not open on NT4. After some closer investigation, the worm was also sending out propagation attempts on 139. TONS of NetBIOS traffic was flying around but interestingly, no infections took place. So it seems that the mere attempt to propigate was enough to send LSASS into a fit on NT4 machines.

    At this hour, all is quiet on the western front after patches were installed on the NT boxes.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    all is quiet on the western front after patches were installed on the NT boxes
    Why do I feel I'm not being told the entire truth??????

    Where is the owner of the laptop?????
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Ohhhhhh, that gal. Well let's just say she wont be an issue now or in the future.

    Also, I sent a sample of the worm up to Symantec because I have not seen a single mention of port 139 use so this may actually be another variant.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Hoss:

    I had my suspicions about the perp..... You know you can't bury her in the back yard don't you.....

    I have seen mention of port 139, that's why I mentioned it.... but I don't recall if that was the original version or a variant.

    Have you seen Scimitar's question about the ARP storm on the front page? Any suggestions since you already dealt with the "little bugger"?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    We have NT4, W2K and XP. I've seen the following effects:

    NT4: Some systems seem to slow down because of a high number of pings recieved. Sasser cannot infect NT4? (NT4 systems that weren't patched had no problems except the slow down).

    W2K: Crashes LSASS and therefor reboots. Doesn't seem to infect.

    XP: Crashes LSASS, reboots and gets infected.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  10. #10
    Senior Member
    Join Date
    Mar 2004
    Posts
    171
    Listening to a MS Webcast about Sasser now, asked if NT4 was effected, and they claim it is not vulnerable. If your system is infected it used more then 445, and 139. Depending on which of the 4 variants you have, it can also use ports 9996 oor 5554.

    MrCoffee
    ~ I'm NOT insane! I've just been in a bad mood for the last 30 years! ~ Somepeople are like Slinky's: Not good for anything, but the thought of pushing them down the stairs brings a smile to your face!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •