Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DCOM Worm released

From: Dennis Opacki <dopacki () adotout com>
Date: Mon, 11 Aug 2003 17:45:59 -0400 (EDT)

Never mind. SANS now indicates:

Infection sequence:

1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit
   to TARGET
2. this causes a remote shell on port 4444 at the TARGET
3. the SOURCE now sends the tftp get command to the TARGET, using the
   shell on port 4444,
4. the target will now connect to the tftp server at the SOURCE.


On Mon, 11 Aug 2003, Dennis Opacki wrote:



Can anyone confirm whether the tftp transfers appear to be solely from the
hosts listed in the initial sans.org note (which now appear to have been
taken down), or is the transfer done from the infecting host?

TIA,

-Dennis

On Mon, 11 Aug 2003, Joey wrote:


They found a worm, but since it uses tftp servers that
can be taken down and since tftp is slow, it shouldnt
have much of an effect.

"Scans sequentially for machines with open port 135,
starting at a presumably random IP address" - very
stupid way to spread!

http://isc.sans.org/diary.html?date=2003-08-11

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: