RE: Exploit for Windows RPC may be in the wild!
From: Eric Appelboom (eric_at_mweb.com)
Date: 07/28/03
- Previous message: Dowling, Gabrielle: "RE: email worm? Newsletter, aaa.exe, caraoke ksp.exe"
- Maybe in reply to: Compton, Rich: "Exploit for Windows RPC may be in the wild!"
- Next in thread: Paul Tinsley: "RE: Exploit for Windows RPC may be in the wild!"
- Reply: Paul Tinsley: "RE: Exploit for Windows RPC may be in the wild!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 28 Jul 2003 19:15:17 +0200 To: <incidents@securityfocus.com>
Yeah, the exploit works way to well for my liking.
The win32 binary didn't seem to work though.
I usually found that one can try once to get the os\sp pair correct
If not the machine carries on its merry way even if you get the os\sp
pair correct.
A nice indicator that a machine has been exploited is that after you
quit from
The shell it causes NTAuthority to panic and shut the machine down after
60 seconds.
Some snort sigs I came across, don't know how good they are.
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC
invalid bind attempt"; flow:to_server,established; content:"|05|";
distance:0; within:1; content:"|0b|"; distance:1; within:1;
byte_test:1,&,1,0,relative; content:"|00|"; distance:21; within:1;
classtype:attempted-dos; sid:2190; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC
invalid bind attempt"; flow:to_server,established;
content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|";
distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|";
nocase; distance:5; within:12; content:"|05|"; distance:2; within:1;
content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative;
content:"|00|"; distance:21; within:1; classtype:attempted-dos;
sid:2191; rev:1;)
On a side note to those in ISP scenarios, any thoughts about blocking
netbios inbound to pops?
Eric
-----Original Message-----
From: morning_wood [mailto:se_cur_ity@hotmail.com]
Sent: 27 July 2003 10:17 PM
To: Compton, Rich; incidents@securityfocus.com
it is in the wild and very very effective, in random testing im findin
80%
of all XP/2k boxes affected...
Donnie Werner
http://exploitlabs.com
----- Original Message -----
From: "Compton, Rich" <RCompton@chartercom.com>
To: <incidents@securityfocus.com>
Sent: Friday, July 25, 2003 12:45 PM
Subject: Exploit for Windows RPC may be in the wild!
> FYI,
> ISPs are reporting a dramatic increase in traffic on TCP port 135. No
> exploit code has been captured as of yet but the increase in traffic
on
this
> port probably indicates that exploit code is being executed! Block
ports
> 135 through 139 and 445!
>
> More info:
>
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulleti
n/MS
> 03-026.asp
>
> -Rich Compton
>
>
>
------------------------------------------------------------------------
-
-- > ------------------------------------------------------------------------ - --- > > ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
- Previous message: Dowling, Gabrielle: "RE: email worm? Newsletter, aaa.exe, caraoke ksp.exe"
- Maybe in reply to: Compton, Rich: "Exploit for Windows RPC may be in the wild!"
- Next in thread: Paul Tinsley: "RE: Exploit for Windows RPC may be in the wild!"
- Reply: Paul Tinsley: "RE: Exploit for Windows RPC may be in the wild!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
