[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] Probable new MS DCOM RPC worm for Windows
- To: full-disclosure@xxxxxxxxxxxxxxxx, incidents@xxxxxxxxxxxxxxxxx
- Subject: [Full-Disclosure] Probable new MS DCOM RPC worm for Windows
- From: Richard Johnson <rnews@xxxxxxxxxxxxxxxxxxx>
- Date: Sat, 20 Sep 2003 14:41:39 -0600
We've noticed increased scan activity on port 135, ramping up over the
past 20 hours.
The scanning appears to concentrate on nearby /16s. For example, when
the source host has IP in 10.117.68.0/24, we've seen scanning of at
least single /24s within 10.114.0.0/16, 10.118.0.0/16 and
10.116.0.0/16, and nowhere else yet.
We've also had 2nd-hand reports of svchost.exe being killed on hosts
being attacked, causing downloading patches during the attack to fail.
Also, at least two dialup links are being flooded into uselessness by
the scan traffic from others nearby.
Richard
-------
Example headers:
Sep 19 17:21:48.356841 0800 62: 10.117.68.93.1912 > 10.114.18.21.135: S
2922514106:2922514106(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
...
Sep 19 20:35:19.248342 0800 62: 10.117.68.81.2195 > 10.118.2.146.135: S
1536913838:1536913838(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
...
Sep 20 13:55:15.440811 0800 62: 10.117.68.50.1914 > 10.116.132.184.135: S
3274268792:3274268792(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
--
To reply via email, make sure you don't enter the whirlpool on river left.
My mailbox. My property. My personal space. My rules. Deal with it.
http://www.river.com/users/share/cluetrain/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html