Full Disclosure mailing list archives
RE: DCOM RPC exploit (dcom.c)
From: Ron DuFresne <dufresne () winternet com>
Date: Mon, 28 Jul 2003 11:38:43 -0500 (CDT)
[SNIP]
This is simply and plainly false. I don't know why people can't seem to grasp this. I know of several major corporations who not only had 1434/UDP blocked at the firewall but also on a number of internal routers *and* had aggressive patching programs, and they *still* suffered from Slammer. All it takes is *one* infected box *inside* the network to negate all the hard work you've done trying to keep the worm out. When you have 150,000 machines worldwide, having 1% of those unpatched (which is a 99% *success* rate) means you have 1500! vulnerable machines. Most situations that I'm familiar with were in the tens - not even the hundreds - but it only took 10 or 15 machines to take down the entire network due to the nature of that worm. 10 or 15 boxes represents 1/100th of a percent of the total, yet that small number could completely destablize a network and cause untold hours of work for the admins and networking staff.
granted alot of companies and most gov and edu sites seem to not know how to prevent a system from joinging the network without first being audited to ensure it complies with the sites security poicy. And for those organizations, this posting by Paul rings true. Those sites that have stringent security policies and a means of enforcement of those policies in place, do not face these problems, especially each and every time a new sploit comes out. Certainly worked for the groups I was associated with at NRTLE a few years back, and their being spread globally, due to many acquisitions, as well as having a variety of OS's to contend with, certainly had the numbers of users and systems that seems to make many admins shudder at trying to manage. If the tools did not exist to do what we needed to do, we ended up building our own. We do much the same at the present location I work in. Though I have to admit, maintaining M$ is someone elses headache here and was at Nortel. But, some folks seem to handle it better then others. Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: DCOM RPC exploit (dcom.c), (continued)
- Re: DCOM RPC exploit (dcom.c) dhtml (Jul 27)
- Re: DCOM RPC exploit (dcom.c) dhtml (Jul 27)
- Re: DCOM RPC exploit (dcom.c) CHeeKY (Jul 27)
- RE: DCOM RPC exploit (dcom.c) Schmehl, Paul L (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Ron DuFresne (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Robert Wesley McGrew (Jul 28)
- RE: DCOM RPC exploit (dcom.c) gml (Jul 28)
- Re: DCOM RPC exploit (dcom.c) Valdis . Kletnieks (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Marc Maiffret (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Schmehl, Paul L (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Ron DuFresne (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Admin GSecur (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Nick FitzGerald (Jul 28)
- RE: DCOM RPC exploit (dcom.c) Thiago Campos (Jul 28)
- RE: DCOM RPC exploit (dcom.c) John . Airey (Jul 29)
- RE: DCOM RPC exploit (dcom.c) Nick FitzGerald (Jul 29)
- RE: DCOM RPC exploit (dcom.c) Schmehl, Paul L (Jul 29)
- Re: DCOM RPC exploit (dcom.c) Robert Banniza (Jul 29)
- Re: DCOM RPC exploit (dcom.c) Preston Newton (Jul 30)
- RE: DCOM RPC exploit (dcom.c) Ron DuFresne (Jul 29)
- Re: DCOM RPC exploit (dcom.c) Robert Banniza (Jul 29)
- RE: DCOM RPC exploit (dcom.c) Schmehl, Paul L (Jul 29)
(Thread continues...)