[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Probable new MS DCOM RPC worm for Windows

To: <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] Probable new MS DCOM RPC worm for Windows
From: "phlox" <phlox@xxxxxxxxxxx>
Date: Sat, 20 Sep 2003 16:50:32 -0700

It can be people with autorooters, using it from unix shells, or windows
boxes.. doesnt have to be a worm... technically.. you can spread a trojan
just as fast with a scanner.. if not faster then a worm..

-phlox

----- Original Message ----- 
From: "Richard Johnson" <rnews@xxxxxxxxxxxxxxxxxxx>
To: <full-disclosure@xxxxxxxxxxxxxxxx>; <incidents@xxxxxxxxxxxxxxxxx>
Sent: Saturday, September 20, 2003 1:41 PM
Subject: [Full-Disclosure] Probable new MS DCOM RPC worm for Windows


> We've noticed increased scan activity on port 135, ramping up over the
> past 20 hours.
>
> The scanning appears to concentrate on nearby /16s.  For example, when
> the source host has IP in 10.117.68.0/24, we've seen scanning of at
> least single /24s within 10.114.0.0/16, 10.118.0.0/16 and
> 10.116.0.0/16, and nowhere else yet.
>
> We've also had 2nd-hand reports of svchost.exe being killed on hosts
> being attacked, causing downloading patches during the attack to fail.
> Also, at least two dialup links are being flooded into uselessness by
> the scan traffic from others nearby.
>
>
> Richard
>
> -------
> Example headers:
>
> Sep 19 17:21:48.356841 0800 62: 10.117.68.93.1912 > 10.114.18.21.135: S
2922514106:2922514106(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
> ...
> Sep 19 20:35:19.248342 0800 62: 10.117.68.81.2195 > 10.118.2.146.135: S
1536913838:1536913838(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
> ...
> Sep 20 13:55:15.440811 0800 62: 10.117.68.50.1914 > 10.116.132.184.135: S
3274268792:3274268792(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
>
> -- 
> To reply via email, make sure you don't enter the whirlpool on river left.
>
> My mailbox. My property. My personal space. My rules. Deal with it.
>                         http://www.river.com/users/share/cluetrain/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] Probable new MS DCOM RPC worm for Windows
  - From: Richard Johnson

Prev by Date: RE: [Full-Disclosure] Greed Kills VeriSign Inc.
Next by Date: RE: [Full-Disclosure] Symantec wants to criminalize security info sharing
Previous by thread: [Full-Disclosure] Probable new MS DCOM RPC worm for Windows
Next by thread: [Full-Disclosure] Re: Probable new MS DCOM RPC worm for Windows
Index(es):
- Date
- Thread