UT/ISO: MS-RPC hacked b0t identification

["Cam Beasley, ISO" <cam () AUSTIN UTEXAS EDU>]

Colleagues --

If you aren't filtering NetBIOS ports (especially 135/tcp,udp)
in response to the recent RPC DCOM vuln, you might want to begin
looking for compromised hosts on your networks.

These particular ports might be useful:
*-others are certainly possible-*

RogueFTP servers (grab banners):
1223,6565,22222,45000,48522,64978,65456/TCP
        ; usually Serv-U ftp

RogueIRC server: 56498/TCP

Control channels: 10001,4444,5555,6351,7890/TCP
        ; typically rlogin, etc.

Might not be a bad idea to use an IDS
at your border to monitor for things like
non-standard FTP (=!21)..

It is also the case that attackers will either disable DCOM
or patch the host machine to evade vulnerability scanners
and to avoid be back hacked by another team..

~cam.

Cam Beasley
ITS/Information Security Office    
The University of Texas at Austin        
cam () austin utexa edu
                  

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.