Educause Security Discussion mailing list archives
UT/ISO: MS-RPC hacked b0t identification
From: "Cam Beasley, ISO" <cam () AUSTIN UTEXAS EDU>
Date: Thu, 31 Jul 2003 15:37:06 -0500
Colleagues -- If you aren't filtering NetBIOS ports (especially 135/tcp,udp) in response to the recent RPC DCOM vuln, you might want to begin looking for compromised hosts on your networks. These particular ports might be useful: *-others are certainly possible-* RogueFTP servers (grab banners): 1223,6565,22222,45000,48522,64978,65456/TCP ; usually Serv-U ftp RogueIRC server: 56498/TCP Control channels: 10001,4444,5555,6351,7890/TCP ; typically rlogin, etc. Might not be a bad idea to use an IDS at your border to monitor for things like non-standard FTP (=!21).. It is also the case that attackers will either disable DCOM or patch the host machine to evade vulnerability scanners and to avoid be back hacked by another team.. ~cam. Cam Beasley ITS/Information Security Office The University of Texas at Austin cam () austin utexa edu ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- UT/ISO: MS-RPC hacked b0t identification Cam Beasley, ISO (Jul 31)
- <Possible follow-ups>
- Re: UT/ISO: MS-RPC hacked b0t identification Cam Beasley, ISO (Jul 31)