Full Disclosure mailing list archives
Re: RE: possible MS03-026 worm?
From: "CHeeKY" <cheekypeople () sec33 com>
Date: Sat, 2 Aug 2003 20:54:55 +0100
if the guy did a pen test for his bank was that internal or external, for sure I can crash everything inside the network.. I expect that a worm will develop there no doubting in that, I am just not one for the sensationalism of these things, yeah its expected, but wtf why panick people, the patches are out there, have faith and trust in what you protect.. ------------------------------------------------------------------------- FIGHT BACK AGAINST SPAM! Download Spam Inspector, the Award Winning Anti-Spam Filter http://mail.giantcompany.com ----- Original Message ----- From: "morning_wood" <se_cur_ity () hotmail com> To: "mobly99" <dhopper () ameritech net>; <full-disclosure () lists netsys com> Sent: Saturday, August 02, 2003 7:59 PM Subject: Re: [Full-disclosure] RE: possible MS03-026 worm?
funny.. i had traces and warnings about this for a while now... http://exploit.philez.com/attack/RPC-DCOM-DD0S-attack.txt ( relocated www.exploitlabs.com files ) http://nothackers.org/pipermail/0day/2003-July/000140.html http://nothackers.org/pipermail/0day/2003-July/000143.html http://nothackers.org/pipermail/0day/2003-July/000154.html this was when the world said.. umm http://nothackers.org/pipermail/0day/2003-July/000146.html and I quote "hi ! i did a pentest for a bank in order to verify the RPC attack consequences !! .. It's the biggest attack .. I broke into many servers and also crash
many
others !! I think 95% of the windows infrastructure was under control in less than 2 hours !! so, morning_wood was RIGHT !" guess ppl should listen to me instead of waiting for @steak (sic) to read my postings. etc etc Donnie Werner co-founder e2-labs morning_wood () e2-labs com ----- Original Message ----- From: "mobly99" <dhopper () ameritech net> To: <full-disclosure () lists netsys com> Sent: Saturday, August 02, 2003 11:03 AM Subject: [Full-disclosure] RE: possible MS03-026 worm?I forwarded the files I found to neohapsis and securityfocus. I'm not equipped with the knowledge to disassemble the code hopefully they can shed some light. The rpctest.exe appears to determine the remote system's OS and spawns a shell, which you can then telnet to. Tftpd.exe is this tftp server : http://www.hanewin.de/e-tftp.htm Worm.exe is a SFX that has rpc.exe tftpd.exe and rpctest.exe in them, extracts and launches them.... -Dave Hopper_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- possible MS03-026 worm? mobly99 (Aug 02)
- Re: possible MS03-026 worm? tcpdumb (Aug 02)
- Re: possible MS03-026 worm? CHeeKY (Aug 02)
- RE: possible MS03-026 worm? mobly99 (Aug 02)
- Re: possible MS03-026 worm? CHeeKY (Aug 02)
- <Possible follow-ups>
- RE: possible MS03-026 worm? mobly99 (Aug 02)
- RE: RE: possible MS03-026 worm? Justin Shin (Aug 02)
- Re: RE: possible MS03-026 worm? morning_wood (Aug 02)
- Re: RE: possible MS03-026 worm? CHeeKY (Aug 02)
- RE: possible MS03-026 worm? mobly99 (Aug 03)
- Re: possible MS03-026 worm? Georgi Guninski (Aug 03)
- Re: possible MS03-026 worm? tcpdumb (Aug 02)