Educause Security Discussion mailing list archives
MS RPC exploits - Scanner-based, worms, etc - Information Sharing??
From: Jim Moore <jhmfa () RIT EDU>
Date: Fri, 8 Aug 2003 19:51:57 -0400
Many people saw the article in The Chronicle of Higher Education "Network Administrators on Campuses Scramble to Fix 'Critical' Security Flaw in Windows" By FLORENCE OLSEN (http://chronicle.com/daily/2003/08/2003080801t.htm) What are people doing about it? Beyond the information available at CERT, and Symantec (Backdoor.IRC.Cirebot), and at the Internet Storm Center (which describes some snort rules to monitor DCOM traffic). A command line exploit code for the RPC DCOM problems has been published at http://oc192.netfirms.com/, and is simple to compile and execute, but is manual. The Full-Disclosure list also had a lot of discussion and a scanner based attack tool that would walk an IP range. Most of what we have seen is an exploit of RPC DCOM, then a backdoor installation, then a patching of the RPC DCOM vulnerability, leaving only the backdoor. We are starting to see variants that drop an FTP server instead of a command prompt backdoor. It has been reported that virus detection will pick up the "stealther" version, and even clean it. It has been reported that the "stealther" version will remove the registry keys for the operation of virus detection to operate properly. Is anyone able to share information? Jim -- -- Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 Telephone: (585)475-5406 Fax: (585)475-7950 PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C D0C0 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? Jim Moore (Aug 08)
- <Possible follow-ups>
- Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? H. Morrow Long (Aug 08)
- Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? H. Morrow Long (Aug 11)
- Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? Ariel Silverstone (Aug 11)
- Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? Angel L Cruz (Aug 11)