[Snort-sigs] Bobax/Kibuv Windows XP UPnP SCAN

Jason Haar Jason.Haar at ...651...
Tue May 18 15:54:09 EDT 2004


Just a FYI, but from the looks of it Bobax just uses the port 5000 scan 
to find XP hosts - then it does the LSASS exploit against the vulnerable 
host.

So if you have LSASS rules, you don't need to worry about more specific 
rules.

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1





More information about the Snort-sigs mailing list