Re: 100% cpu usage for LSASS.EXE on DC intermittently, consistent

> "Bill-MT" wrote:
>
> > > "Bill-MT" <BillMT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> > > > I've look on the Internet and see references to WORMS doing this, but
> >
> > "Phillip Windell" wrote:
> > > Phillip Windell [MCP, MVP, CCNA]
> > > That is the wrong thing to expect. It is probably infected. Everytime I
> > > have heard of this happening, without exception,...it was infected.
> >
> > Thanks for your response Phillip, but...
> >
> > I doubt any of the DC's are infected themselves. They are not logged into
> > interactively accept to do DC work (no email, no web). They always have the
> > latest security patches applied. If it is a WORM on a client machine, very
> > possible, (like MS-Blaster, etc) it must be a worm specific to hitting a
> > single DC. Again note, I don't see this behavior on any other machine (other
> > DC's, member server, or clients) which I would expect to see in the case of a
> > worm randomly walking the internal address spaces.
> >
> > Anyone have any more insight on what to look for here.
> > Anyone tell me what to look for in my sniffer captures.
> >

>"mrklaxon" wrote:
> There is an LSASS worm I think. I think I also saw this with McAfee AV.

Ok, let assume it's a worm. (I kind of wonder if it is, because a worm
would likely attack more than one DC at a time or at least move from DC to
DC, that's the behavior we've seen with netbios worms in the past).

So, now I'm back to my second question above.

What do I need to look for in my sniffer captures (or using other tools) to
find the offending machine. We have 2000+ machines in our lAN and we are
closely tied (i.e. have Netbios ports open) to thousands more in our sister
schools.

Anyone know how to find the offending machine(s)?

.

Relevant Pages