[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] New Blaster variant using UDP port 1038?

To: "Stahlkrantz, Mats (Mats)" <mstahlkrantz@lucent.com>, <full-disclosure@lists.netsys.com>
Subject: Re: [Full-Disclosure] New Blaster variant using UDP port 1038?
From: "Jeremiah Cornelius" <jeremiah@nur.net>
Date: Thu, 14 Aug 2003 13:13:26 -0700

> ---- Original Message ----- 
> From: Stahlkrantz, Mats (Mats)
> To: full-disclosure@lists.netsys.com
> Sent: Thursday, August 14, 2003 10:48 AM
> Subject: [Full-Disclosure] New Blaster variant using UDP port 1038?
>
>
>
> We're starting to see exploit attempts that are followed by probes from
the infected host on tcp/4444,
> and then UDP/1038.  Has anyone else seen this?

1038 UDP is used by BIND, and by one of the sundry lock RPCs in NFS.

The deal here is probably Dell OMI, a management interface.  Kurt Sifried
has this documented on his ports list at sifried.org

Are your machines Dell?  I would bet that killing RPC is making the OMI
agent go nutty, and broadcast.  The relevant executable is win32sl.exe.

-- 
Jeremiah Cornelius, CISSP, CCNA, MCSE, Debianaut
farm9 Security
email: jc@farm9.com - mobile: 415.235.7689

"What would be the use of immortality to a person who cannot use well a half
hour?"
--Ralph Waldo Emerson

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] New Blaster variant using UDP port 1038?
  - From: "Stahlkrantz, Mats (Mats)" <mstahlkrantz@lucent.com>

Prev by Date: RE: [Full-Disclosure] Microsoft urging users to buy Harware Firewalls
Next by Date: [Full-Disclosure] Re: Buffer overflow prevention
Prev by thread: [Full-Disclosure] New Blaster variant using UDP port 1038?
Next by thread: Re: [Full-Disclosure] New Blaster variant using UDP port 1038?
Index(es):
- Date
- Thread