Full Disclosure mailing list archives
Re: DCOM RPC exploit (dcom.c)
From: Ron DuFresne <dufresne () winternet com>
Date: Sun, 27 Jul 2003 01:30:34 -0500 (CDT)
On 26 Jul 2003, Paul Schmehl wrote:
On Sat, 2003-07-26 at 22:29, Ron DuFresne wrote:I'm just trying to understand how corporate networks would/should be at risk with this, why port 135 would not be filtered already limiting exposure. Is there a reason why it would not be that I'm missing?Are you really serious? Recall Slammer? There were networks that were locked down pretty tight. Slammer couldn't get in, right? Then one developer who got his unpatched copy of SQL inside the network, by logging in through VPN with his infected laptop, took the entire network down. You can't get in to our network on those ports either - unless you're already in. But I can guarantee you that we'll be chasing infected boxes down for days after the worm hits. And we've already patched everything that we could patch. I scan for Slammer every week, because every week someone new decides to install SQL unpatched or some stupid app that has an unpatched copy of MSDE. Now I'll be chasing the RPC worm around too. You can't firewall 135 inside your network or you'd have no network.
but, you can at the outgouing gateway, as well as log the events there to help in locating inside infections. Slammer and some of the other recent worms giving a good headsup to folks that filtering is indeed not a one way proposition. ingress as well as egress filtering has been something strongly advocated for quite sometime. If an internal network gets so infected that it;s clogging the outgooing gateway chokepoint, then it's time to take that network 'offline' from the rest of the internet and cleanup. Unless the company line on this is open all ports and let the rest of the world fend for themselves while we try and cleanup this mess, which was the decision on a number of places during recent worm exploits and not limited to slammer. Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: DCOM RPC exploit (dcom.c), (continued)
- RE: DCOM RPC exploit (dcom.c) CompSecGeek (Jul 26)
- Re: DCOM RPC exploit (dcom.c) Chris Paget (Jul 26)
- Re: DCOM RPC exploit (dcom.c) Len Rose (Jul 26)
- Re: DCOM RPC exploit (dcom.c) Chris Paget (Jul 26)
- Re: DCOM RPC exploit (dcom.c) morning_wood (Jul 26)
- Re: DCOM RPC exploit (dcom.c) Shanphen Dawa (Jul 26)
- Re: DCOM RPC exploit (dcom.c) morning_wood (Jul 26)
- Re: DCOM RPC exploit (dcom.c) Len Rose (Jul 26)
- Re: DCOM RPC exploit (dcom.c) Ron DuFresne (Jul 26)
- Re: DCOM RPC exploit (dcom.c) Paul Schmehl (Jul 26)
- Re: DCOM RPC exploit (dcom.c) Nick FitzGerald (Jul 26)
- Re: DCOM RPC exploit (dcom.c) Ron DuFresne (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Paul Schmehl (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Nathan Seven (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Valdis . Kletnieks (Jul 27)
- Re: DCOM RPC exploit (dcom.c) KF (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Valdis . Kletnieks (Jul 26)
- Re: DCOM RPC exploit (dcom.c) manohar singh (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Etaoin Shrdlu (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Nick FitzGerald (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Jean-Baptiste Marchand (Jul 29)
- Re: DCOM RPC exploit (dcom.c) Nick FitzGerald (Jul 29)