Re:
From: Gary Flynn (flynngn@jmu.edu)Date: 10/16/02
- Previous message: Hugo van der Kooij: "Re: apache problem"
- In reply to: Hay,Daniel: "RE:"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 15 Oct 2002 18:02:06 -0400 From: Gary Flynn <flynngn@jmu.edu> To: "Hay,Daniel" <DHay@EXCHANGE1.DREXEL.EDU>
"Hay,Daniel" wrote:
>
> We are in the same boat, We have udp/tcp 135-139 and 445
> blocked but we still see the spam.
Are you sure you have UDP 135 blocked? That is the
way the DirectAdvertiser stuff comes in. I'm
analyzing the packets now.
> We have identified 2 hosts on campus 1 is a Linux box
> running RedHat 7.3 the other seems to be a Win2k box.
What do you mean by "identified"? That they sent
messages or received them?
> I've done a quick check of the Linux box but it doesn't
> appear to be compromised, one thing I did notice from
> external scanning is that RPC on the Linux box is not
> configured correctly and allows forwarding of RPC requests.
Excuse my ignorance, but how did you scan the box
and in what way did it forward RPC requests? I'm not
sure what you mean by "misconfigured RPC installation".
Is the box running Samba? MS-RPC isn't the same as unix
RPC.
-- Gary Flynn Security Engineer - Technical Services James Madison UniversityPlease R.U.N.S.A.F.E. http://www.jmu.edu/computing/runsafe
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: Hugo van der Kooij: "Re: apache problem"
- In reply to: Hay,Daniel: "RE:"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
