RE: [Full-Disclosure] ISS Security Brief: 'MS Blast' MSRPC DCOM Worm Propagation (fwd)

From: Daniele Muscetta (daniele_at_muscetta.com)
Date: 08/14/03

  • Next message: Lan Guy: "Re: [Full-Disclosure] ISP's save the Inet from Blaster?" 
    To: <daniele@muscetta.com>
Date: Thu, 14 Aug 2003 12:36:23 +0200 (W. Europe Daylight Time)

    Sorry, Errata on my words:

    > On its own it is harmful.

    I MEANT: "IT IS *NOT* HARMFUL."

    Daniele

    >> svchost.exe listens on several ports on windows xp.
    >> If microsoft is saying that it should never be on the
    >> internet, couldn't there be more b0f's discovered in
    >> the future? One peculiar service "DNS Client",
    >> although listening on a few random ports just about
    >> 1024, also runs off of svchost.exe.
    >
    > svchost is a "wrapper" for services that work as DLLs instead of being
    > implemented with their own .EXE.
    > On its own it is harmful.
    >
    > It is RPC which should not listen on the internet. It's a very different
    > matter.
    >
    > Anyway, "DNS Client" is the DNS RESOLVER, that component that queries
    > the DNS for you... and it does not listen, as far as I know.
    > It opens of course dynamic ports >1024 as SOURCE ports, to talk to DNS
    > server on target port 53... what would you expect it do otherwise ?
    >
    > It also implements the dynamic record registration for DDNS, so it
    > REGISTERS the address of the client on the server (if instructed to do
    > so, and if the server supports it).
    >
    >
    > ...if you don't want it, you might even want to remove resolv.conf from
    > your linux box.... since it might be just as harmful..... :)
    >
    >
    > Daniele
    >
    >
    >
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Lan Guy: "Re: [Full-Disclosure] ISP's save the Inet from Blaster?"

    Relevant Pages

    • Re: SBS 2003 Single NIC firewall settings
      ... Then run the CEICW wizard from the Server management console ... > make a RAS VPN connection or access the company web site (which, ... > Internet and RRAS/VPN. ... > find where I go to open ports. ...
      (microsoft.public.windows.server.sbs)
    • Re: Attacker used MDM to gain access to client PCs
      ... VNC is pretty good (for internal use, dont open a port to the internet to ... If remote can goto server / remote pc and then connect to user pc, ... Visit www.grc.com and chose Shields Up to test which ports are open... ...
      (microsoft.public.windows.server.sbs)
    • Re: external ports
      ... SuperGumby [SBS MVP] wrote: ... interface and internet, get multiple IP's on the external side. ... subnet as external and see if the ports are accessible. ... These are enabled on the server. ...
      (microsoft.public.windows.server.sbs)
    • Re: Unable to connect to RWW over internet
      ... We had ISA when we used SBS 2000, but he didn't install it when we upgraded. ... I checked with our T1 supplier and their router has all the ports opened. ... > communicate with the user on the internet. ... which secures communications from your server and a Web ...
      (microsoft.public.windows.server.sbs)
    • Re: Remote Access to anything on the server
      ... you say the ports are open, but on the router the ports need to be pointed ... Are you running an SBS server at home, ... timeout may have occurred due to Internet congestion. ... Contact website: You may want to contact the website administrator to make ...
      (microsoft.public.windows.server.sbs)
    • Quantcast