Full Disclosure mailing list archives
Re: TCP ports 1025-1030 and DCOM exploit
From: Joey <joey2cool () yahoo com>
Date: Sun, 10 Aug 2003 12:36:36 -0700 (PDT)
the exploit is for DCOM, not RPC. i believe those ports might have something to do with the "DNS Client" service, which is unnecessary to be running. You can lock down all ports ran by windows xp by using this guide - http://www.blackviper.com/WinXP/servicecfg.htm You can disable port 135 by using the dcomcnfg program(be sure to use this before you disable any other services if you want to disable the port) - http://www.jsifaq.com/SUBO/tip7000/rh7010.htm i managed to get windows xp not listening on any ports and still function 100%. Windows XP is a secure OS but not out of the box. I don't think it can be used on port 445 either since that is the SMB file/print sharing port. --- "Edward W. Ray" <support () mmicman com> wrote:
I have found that the RPC service in Windows also uses TCP ports 1025-1030 for communication with domain controllers (DCs). I found this out by accident by blocking ports in my Windows 2003 domain and observing failed RPC connectivity using netdiag command on clients. I also observed attempts at connection on TCP port 1025. Once I added TCP port 1025 to my list of allowed ports and ran netdiag, a connection on the DC port 1025 and the client (higher port number) was established. Is this another possible attack vector? I have not had time to test it myself, which is why I am asking. Regards, Edward W. Ray SANS GCIA, GCIH _______________________________________________ Full-Disclosure - We believe in it. Charter:
http://lists.netsys.com/full-disclosure-charter.html __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- TCP ports 1025-1030 and DCOM exploit Edward W. Ray (Aug 10)
- RE: +++++SPAM+++++ TCP ports 1025-1030 and DCOM exploit; false positive Edward W. Ray (Aug 10)
- <Possible follow-ups>
- Re: TCP ports 1025-1030 and DCOM exploit Joey (Aug 10)