Full Disclosure mailing list archives
Re: New Blaster variant using UDP port 1038?
From: "Jeremiah Cornelius" <jeremiah () nur net>
Date: Thu, 14 Aug 2003 13:13:26 -0700
---- Original Message ----- From: Stahlkrantz, Mats (Mats) To: full-disclosure () lists netsys com Sent: Thursday, August 14, 2003 10:48 AM Subject: [Full-disclosure] New Blaster variant using UDP port 1038? We're starting to see exploit attempts that are followed by probes from
the infected host on tcp/4444,
and then UDP/1038. Has anyone else seen this?
1038 UDP is used by BIND, and by one of the sundry lock RPCs in NFS. The deal here is probably Dell OMI, a management interface. Kurt Sifried has this documented on his ports list at sifried.org Are your machines Dell? I would bet that killing RPC is making the OMI agent go nutty, and broadcast. The relevant executable is win32sl.exe. -- Jeremiah Cornelius, CISSP, CCNA, MCSE, Debianaut farm9 Security email: jc () farm9 com - mobile: 415.235.7689 "What would be the use of immortality to a person who cannot use well a half hour?" --Ralph Waldo Emerson _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- New Blaster variant using UDP port 1038? Stahlkrantz, Mats (Mats) (Aug 14)
- Re: New Blaster variant using UDP port 1038? Jeremiah Cornelius (Aug 14)
- Re: New Blaster variant using UDP port 1038? Jeremiah Cornelius (Aug 14)
- Re: New Blaster variant using UDP port 1038? w g (Aug 14)
- Re: New Blaster variant using UDP port 1038? Nick FitzGerald (Aug 14)
- Re: New Blaster variant using UDP port 1038? w g (Aug 14)
- <Possible follow-ups>
- RE: New Blaster variant using UDP port 1038? Stahlkrantz, Mats (Mats) (Aug 14)
- Re: New Blaster variant using UDP port 1038? Donnie Weiner (Aug 14)