Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DCOM RPC exploit (dcom.c)

From: Ron DuFresne <dufresne () winternet com>
Date: Sun, 27 Jul 2003 01:30:34 -0500 (CDT)
On 26 Jul 2003, Paul Schmehl wrote:


On Sat, 2003-07-26 at 22:29, Ron DuFresne wrote:


I'm just trying to understand how corporate networks would/should be at
risk with this, why port 135 would not be filtered already limiting
exposure.  Is there a reason why it would not be that I'm missing?


Are you really serious?  Recall Slammer?  There were networks that were
locked down pretty tight.  Slammer couldn't get in, right?  Then one
developer who got his unpatched copy of SQL inside the network, by
logging in through VPN with his infected laptop, took the entire network
down.

You can't get in to our network on those ports either - unless you're
already in.  But I can guarantee you that we'll be chasing infected
boxes down for days after the worm hits.  And we've already patched
everything that we could patch.  I scan for Slammer every week, because
every week someone new decides to install SQL unpatched or some stupid
app that has an unpatched copy of MSDE.  Now I'll be chasing the RPC
worm around too.

You can't firewall 135 inside your network or you'd have no network.


but, you can at the outgouing gateway, as well as log the events there to
help in locating inside infections.  Slammer and some of the other recent
worms giving a good headsup to folks that filtering is indeed not a one
way proposition.

ingress as well as egress filtering has been something strongly advocated
for quite sometime.


If an internal network gets so infected that it;s clogging the outgooing
gateway chokepoint, then it's time to take that network 'offline' from the
rest of the internet and cleanup.  Unless the company line on this is open
all ports and let the rest of the world fend for themselves while we try
and cleanup this mess, which was the decision on a number of places during
recent worm exploits and not limited to slammer.

Thanks,

Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: