lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: jackhammer at gmail.com (Paul Tinsley) Subject: Heads up: Possible lsass worm in the wild I have seen this one active and in use, it is connecting to 216-110-80-17.gen.twtelecom.net on port 6667. I connected to the server and found several interestingly named channels with interestingly named clients in them: Channel names: #!tenzkor #[psy]- prefix to each client #!!s32 #[eduz]- prefix to each client #!rifkraca #exc prefix to each client On Thu, 29 Apr 2004 12:22:27 -0700, morning_wood <se_cur_ity@...mail.com> wrote: > > i think the importaint thing here is that this was dropped via an lsass exploit, > not that it is a specific type of viral agent ( agobot ) included in the drop. > > for those interested in a sample, it may be obtained at > http://exploit.nothackers.org/msiwin84-lsass.zip > > > > morning_wood > http://exploitlabs.com > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
Powered by blists - more mailing lists