Re:

From: Gary Flynn (flynngn@jmu.edu)
Date: 10/16/02


Date: Tue, 15 Oct 2002 18:02:06 -0400
From: Gary Flynn <flynngn@jmu.edu>
To: "Hay,Daniel" <DHay@EXCHANGE1.DREXEL.EDU>


"Hay,Daniel" wrote:
>
> We are in the same boat, We have udp/tcp 135-139 and 445
> blocked but we still see the spam.

Are you sure you have UDP 135 blocked? That is the
way the DirectAdvertiser stuff comes in. I'm
analyzing the packets now.

> We have identified 2 hosts on campus 1 is a Linux box
> running RedHat 7.3 the other seems to be a Win2k box.

What do you mean by "identified"? That they sent
messages or received them?

> I've done a quick check of the Linux box but it doesn't
> appear to be compromised, one thing I did notice from
> external scanning is that RPC on the Linux box is not
> configured correctly and allows forwarding of RPC requests.

Excuse my ignorance, but how did you scan the box
and in what way did it forward RPC requests? I'm not
sure what you mean by "misconfigured RPC installation".

Is the box running Samba? MS-RPC isn't the same as unix
RPC.

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E. http://www.jmu.edu/computing/runsafe

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com