[Snort-sigs] Bobax/Kibuv Windows XP UPnP SCAN

Jason Haar Jason.Haar at ...651...
Tue May 18 15:54:09 EDT 2004

Just a FYI, but from the looks of it Bobax just uses the port 5000 scan 
to find XP hosts - then it does the LSASS exploit against the vulnerable 

So if you have LSASS rules, you don't need to worry about more specific 


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-sigs mailing list