Although Microsoft is reporting the NT4 is not vulnerable to the LSASS vulnerability, I'm here to tell you otherwise. I have some NT4 servers that are loop rebooting due to LSASS crashing. Are there others out there seeing this behavior?
Printable View
Although Microsoft is reporting the NT4 is not vulnerable to the LSASS vulnerability, I'm here to tell you otherwise. I have some NT4 servers that are loop rebooting due to LSASS crashing. Are there others out there seeing this behavior?
Hoss: I don't have any NT4 servers left :cool: but it's my understanding of the worm that:-
1. It's very badly written
2. It can cause non-vulnerable systems to reboot even if they can't be exploited, it screws up LSASS anyway and the system just dumps.
You may be seeing repeated attempts to exploit even though the exploit never "takes hold", your experiencing a D0S as an inadvertent result of the worm.
As an aside..... Why do these systems have ports 445 or 139 exposed to the public network.... I have never managed to come up with a valid business reason for these being open to the public network, or RPC for that matter.... but there are so many boxes out there that get bitten by exploits running through them that someone must have a reason for them to be there......
The security bulletin at MS has NT 4 listed in the MS04-011 patch 835732
http://www.microsoft.com/security/se...04_windows.asp
although the info on MS here says NT 4 SP6a machines are NOT affected???http://www.microsoft.com/security/incident/sasser.asp
Very confusing....
Maybe a variant that targets NT 4??
Sorry cant be of more help
mlf
We recently upgraded to 2003 Server
But when patching the NT4 machines...some patches (post sp 6)seemed to knock out other ones and then they needed to be reapplied...in a certain order to take
maybe this is why you got bit??
Heya Tiger,
Actually, none of the machines are internet-facing. These are all internal machines that got pounded after a rouge laptop was plugged into the inside.
I went to look at the problem because it made no sense to me why LSASS would be crashing, especially when port 445 is not open on NT4. After some closer investigation, the worm was also sending out propagation attempts on 139. TONS of NetBIOS traffic was flying around but interestingly, no infections took place. So it seems that the mere attempt to propigate was enough to send LSASS into a fit on NT4 machines.
At this hour, all is quiet on the western front after patches were installed on the NT boxes.
Why do I feel I'm not being told the entire truth??????Quote:
all is quiet on the western front after patches were installed on the NT boxes
Where is the owner of the laptop????? ;)
Ohhhhhh, that gal. Well let's just say she wont be an issue now or in the future. ;)
Also, I sent a sample of the worm up to Symantec because I have not seen a single mention of port 139 use so this may actually be another variant.
Hoss:
I had my suspicions about the perp..... You know you can't bury her in the back yard don't you..... ;)
I have seen mention of port 139, that's why I mentioned it.... ;) but I don't recall if that was the original version or a variant.
Have you seen Scimitar's question about the ARP storm on the front page? Any suggestions since you already dealt with the "little bugger"?
We have NT4, W2K and XP. I've seen the following effects:
NT4: Some systems seem to slow down because of a high number of pings recieved. Sasser cannot infect NT4? (NT4 systems that weren't patched had no problems except the slow down).
W2K: Crashes LSASS and therefor reboots. Doesn't seem to infect.
XP: Crashes LSASS, reboots and gets infected.
Listening to a MS Webcast about Sasser now, asked if NT4 was effected, and they claim it is not vulnerable. If your system is infected it used more then 445, and 139. Depending on which of the 4 variants you have, it can also use ports 9996 oor 5554.
MrCoffee
No. Both are opened after you've been infected. They're not part of the infection vector.Quote:
Originally posted here by MrCoffee
Depending on which of the 4 variants you have, it can also use ports 9996 oor 5554.
No. Both are opened after you've been infected. They're not part of the infection vector.Quote:
Originally posted here by MrCoffee
Depending on which of the 4 variants you have, it can also use ports 9996 oor 5554.