Lsass.exe and Lssas.exe

**ndavies** · 29th October 2007, 01:26 PM

Found both of these in our WINNT/System32 folder. The Alerter service on our DC appears to be pointed to Lssas.exe. The Alerter service on our replica points to SCVHost.

A bit of research looks like the Lssas.exe is a nasty piece of work and shouldn't be there. A trojan variant of GrayBird.

Should Alerter be using SCVHost as opposed to the proper Lsass.exe?

We're also completely unable to ping our DC. It tells us it's connected to the switch fine, the switch says its fine yet we can't reach it?! Any suggestions. It has a fixed IP and being the DC has all the DNS and DHCP stuff on it.

Ta

Nick "head scratching" Davies

**Geoff** · 29th October 2007, 02:00 PM

On W2k3 SP2:

Code:

C:\WINDOWS\system32\svchost.exe -k LocalService

**ndavies** · 30th October 2007, 01:43 PM

turns out someone has loaded several services onto our dc to do with the counterstrike game. we've actually this morning just caught a remote user on it, trying to install more services and transferring stuff via an open ftp connectoin......first thing..pull the plug!

dear oh dear.

**Geoff** · 30th October 2007, 02:31 PM

So your network has been compromised?

**ndavies** · 30th October 2007, 03:53 PM

Looks like it. We're working through cleaning it up offline. But how can we ever be sure...there's so many processes running!

**Geoff** · 30th October 2007, 04:19 PM

You can't. You must rebuild your systems from known good backups and/or scratch. Also, contact your LEAs audit department. They have people for helping you with this.

LinkBack

Thread Tools

Search Thread

Lsass.exe and Lssas.exe

Re: Lsass.exe and Lssas.exe

Re: Lsass.exe and Lssas.exe

Re: Lsass.exe and Lssas.exe

Re: Lsass.exe and Lssas.exe

Re: Lsass.exe and Lssas.exe

Thread Information

Users Browsing this Thread

Posting Permissions