Educause Security Discussion mailing list archives
Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing??
From: Angel L Cruz <cruz () AUSTIN UTEXAS EDU>
Date: Mon, 11 Aug 2003 09:25:16 -0500
Colleagues: We activated our CERT, communicated with campus technology leaders, and escalated response based on best intelligence at our disposal. Specifically we have: - Scanned for vulnerables using NESSUS plug-ins 11709 (to see RPC active) and 11808 (to see RPC exploitable); - Sent out the troops (department tech staff) to patch systems, and kept them informed of their status (how many we showed they still had to repair); - Identified and scanned for ports being used for RogueFTP and similar insertions into compromised machines (a specific pattern was seen here); - Blocked compromised machines at various network points (required they be rebuilt to get back on the network); - Implemented NetBIOS filters at the border (we saw active sweep scans on one of our class B's) and identified workarounds for users (ongoing); - Blocked vulnerable machines at various network points until they were patched (attention getter); - Identified false positives (Windows 98/ME; some Cisco devices and HP-UX) and false negatives (breached machines with RPC patched and DCOM disabled - courtesy of your favorite intruder group); - Wrestled with blocks of DHCP address machines (MAC blocks may not be effective depending on network equipment and configurations); - Communicated to the campus (especially effective was an FAQ type, layman's term problem description and user guide); - Kept tabs with technical staff until we had containment; - Recommended auto-update to all, and re-emphasized anti-virus updating (we have a license for Big Fix, a product that IMHO works very well for both OS and AV update notification); - Monitored IRC traffic to identify .edu bots and continue to send out many notices to .edu security folks. I cannot emphasize enough the value of clear and controlled communications with the campus community and event escalation based on best intelligence at your disposal. If you have not, I recommend you consider how to handle (triage/contact) returning residential students, laptop carrying students, and faculty who may have vulnerable and/or breached machines - could be a problem. This event has made it clear to me that we need to engage in dialog re: how to better manage the technology environment to reduce this patch madness (sneaker net and user level patching does not scale well). Thanks. Mr. Angel L. Cruz, BS Director & University ISO ITS - Information Security Office The University of Texas at Austin 1 University Station, #G0900 Austin, Texas 78712-0557 (512) 475-9462 cruz () austin utexas edu ++++++++++++++++++++++++++++++++++++++++++++ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. If you are not the named addressee you should not distribute or copy this e-mail. Please notify the sender immediately if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is prohibited. ++++++++++++++++++++++++++++++++++++++++++++ -----Original Message----- From: Jim Moore [mailto:jhmfa () RIT EDU] Sent: Friday, August 08, 2003 6:52 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? Many people saw the article in The Chronicle of Higher Education "Network Administrators on Campuses Scramble to Fix 'Critical' Security Flaw in Windows" By FLORENCE OLSEN (http://chronicle.com/daily/2003/08/2003080801t.htm) What are people doing about it? Beyond the information available at CERT, and Symantec (Backdoor.IRC.Cirebot), and at the Internet Storm Center (which describes some snort rules to monitor DCOM traffic). A command line exploit code for the RPC DCOM problems has been published at http://oc192.netfirms.com/, and is simple to compile and execute, but is manual. The Full-Disclosure list also had a lot of discussion and a scanner based attack tool that would walk an IP range. Most of what we have seen is an exploit of RPC DCOM, then a backdoor installation, then a patching of the RPC DCOM vulnerability, leaving only the backdoor. We are starting to see variants that drop an FTP server instead of a command prompt backdoor. It has been reported that virus detection will pick up the "stealther" version, and even clean it. It has been reported that the "stealther" version will remove the registry keys for the operation of virus detection to operate properly. Is anyone able to share information? Jim -- -- Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 Telephone: (585)475-5406 Fax: (585)475-7950 PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C D0C0 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? Jim Moore (Aug 08)
- <Possible follow-ups>
- Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? H. Morrow Long (Aug 08)
- Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? H. Morrow Long (Aug 11)
- Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? Ariel Silverstone (Aug 11)
- Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? Angel L Cruz (Aug 11)