RE: SUMMARY: SMB overflow attacks

From: Thierry De Leeuw (thierry.deleeuw@wanadoo.be)
Date: 09/02/02 

From: "Thierry De Leeuw" <thierry.deleeuw@wanadoo.be>
To: <jasonc@science.org>, "Aditya" <adityald2@gmx.net>, <vuln-dev@security-focus.com>
Date: Mon, 2 Sep 2002 20:46:38 +0200

Hi,

On my box it's msdtc (Microsoft Distributed Transaction Coordinator) that is
using this port.

mstask.exe is 1026.

I find out this by using TCP View. This tool can be freely downloaded from
http://www.sysinternals.com/ntw2k/source/tcpview.shtml

Hope it helps !

Best regards,

Thierry De Leeuw

-----Original Message-----
From: Jason Coombs [mailto:jasonc@science.org]
Sent: Saturday, August 31, 2002 9:02 PM
To: Aditya; vuln-dev@security-focus.com
Subject: RE: SUMMARY: SMB overflow attacks

mstask.exe is not running on this box.

Task Scheduler service is set to Manual.

Any other ideas?

Thanks.

Jason Coombs
jasonc@science.org

-----Original Message-----
From: Aditya [mailto:adityald2@gmx.net]
Sent: Friday, August 30, 2002 10:18 PM
To: jasonc@science.org; vuln-dev@security-focus.com
Subject: Re: SUMMARY: SMB overflow attacks

sorry about the mistake about the DCOM - the good thing is already you have
disabled that

for 1025 - you have to disable the schduler service "mstask.exe"

for 1027 its dcom

-aditya

----- Original Message -----
From: "Jason Coombs" <jasonc@science.org>
To: "Aditya" <adityald2@gmx.net>; <vuln-dev@security-focus.com>
Sent: Saturday, August 31, 2002 8:33 AM
Subject: RE: SUMMARY: SMB overflow attacks

> DCOM is already disabled and all transports are removed from the list in
> DCOMCNFG.EXE.
>
> System still binds to 1025 TCP.
>
> Are you sure this is all you did to stop this port binding on your box?
>
> Thanks.
>
> Jason Coombs
> jasonc@science.org
>
> -----Original Message-----
> From: Aditya [mailto:adityald2@gmx.net]
> Sent: Friday, August 30, 2002 5:47 AM
> To: jasonc@science.org; vuln-dev@security-focus.com
> Subject: Re: SUMMARY: SMB overflow attacks
>
>
> the 1025 port is bound because the machine in win2k which has com enabled
by
> default
>
> disable com and this will vanish
>
> aditya
>
> ----- Original Message -----
> From: "Jason Coombs" <jasonc@science.org>
> To: <vuln-dev@security-focus.com>
> Sent: Friday, August 30, 2002 5:10 AM
> Subject: RE: SUMMARY: SMB overflow attacks
>
>
> > However, port 1025 is still being bound by SYSTEM ... I have no idea
why.
> >
>
>

Relevant Pages

  • Re: excessive TCP dulplicate acks revisted
    ... The tcp duplicate ACK attack is back. ... there was a thread on duplicate TCP acks in -CURRENT. ... TCP STREAM TEST from localhost port 0 AF_INET to greenhouse- george.18clay.com port 0 AF_INET ... Socket Socket Message Elapsed ...
    (freebsd-current)
  • excessive TCP dulplicate acks revisted
    ... The tcp duplicate ACK attack is back. ... there was a thread on duplicate TCP acks in -CURRENT. ... TCP STREAM TEST from localhost port 0 AF_INET to greenhouse- george.18clay.com port 0 AF_INET ... Socket Socket Message Elapsed ...
    (freebsd-current)
  • Re: How to tell if a firewall alert is suspicious or not
    ... > WHY this SBCGlobal DNS server would be contacting Adobe Acrobat on port ... They have to parts, a kernel and the userland, in which programs, which are ... With Internet Protocol and TCP it is so, that any network interface in the ... To initiate a TCP connection, first the server has to "listen" on a port. ...
    (comp.security.firewalls)
  • RE: Configure Hardware Firewall for SBS 2003
    ... the corresponding ports to the SBS box. ... When a router is deployed at the SBS end, you must forward the port numbers ... TCP 110 This port is used for POP3 mail clients. ... TCP 1723 PPTP VPN connection ...
    (microsoft.public.windows.server.sbs)
  • Re: Can someone tell me what this is exactly?
    ... >But port 80 connections seem to get through. ... >on port 80 (tcp). ... >Host: www ... >Connnection: close ...
    (comp.os.ms-windows.nt.admin.security)
Quantcast