Re: [Full-Disclosure] Probable new MS DCOM RPC worm for Windows

• Previous message: Richard M. Smith: "RE: [Full-Disclosure] Symantec wants to criminalize security info sharing"
• In reply to: Richard Johnson: "[Full-Disclosure] Probable new MS DCOM RPC worm for Windows"
• Next in thread: Richard Johnson: "[Full-Disclosure] Re: Probable new MS DCOM RPC worm for Windows"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <full-disclosure@lists.netsys.com>
Date: Sat, 20 Sep 2003 16:50:32 -0700

It can be people with autorooters, using it from unix shells, or windows
boxes.. doesnt have to be a worm... technically.. you can spread a trojan
just as fast with a scanner.. if not faster then a worm..

-phlox

----- Original Message -----
From: "Richard Johnson" <rnews@whirlpool.river.com>
To: <full-disclosure@lists.netsys.com>; <incidents@securityfocus.com>
Sent: Saturday, September 20, 2003 1:41 PM
Subject: [Full-Disclosure] Probable new MS DCOM RPC worm for Windows

> We've noticed increased scan activity on port 135, ramping up over the
> past 20 hours.
>
> The scanning appears to concentrate on nearby /16s. For example, when
> the source host has IP in 10.117.68.0/24, we've seen scanning of at
> least single /24s within 10.114.0.0/16, 10.118.0.0/16 and
> 10.116.0.0/16, and nowhere else yet.
>
> We've also had 2nd-hand reports of svchost.exe being killed on hosts
> being attacked, causing downloading patches during the attack to fail.
> Also, at least two dialup links are being flooded into uselessness by
> the scan traffic from others nearby.
>
>
> Richard
>
> -------
> Example headers:
>
> Sep 19 17:21:48.356841 0800 62: 10.117.68.93.1912 > 10.114.18.21.135: S
2922514106:2922514106(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
> ...
> Sep 19 20:35:19.248342 0800 62: 10.117.68.81.2195 > 10.118.2.146.135: S
1536913838:1536913838(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
> ...
> Sep 20 13:55:15.440811 0800 62: 10.117.68.50.1914 > 10.116.132.184.135: S
3274268792:3274268792(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
>
> --
> To reply via email, make sure you don't enter the whirlpool on river left.
>
> My mailbox. My property. My personal space. My rules. Deal with it.
> http://www.river.com/users/share/cluetrain/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Richard M. Smith: "RE: [Full-Disclosure] Symantec wants to criminalize security info sharing"
• In reply to: Richard Johnson: "[Full-Disclosure] Probable new MS DCOM RPC worm for Windows"
• Next in thread: Richard Johnson: "[Full-Disclosure] Re: Probable new MS DCOM RPC worm for Windows"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]