RE : Pubstro rash

[Bourque Daniel <Daniel.Bourque () loto-quebec com>]

Yes you can block TCP/UDP 53 for all except your real DNS server.

Nobody need DNS/SMTP access from Inside to Outside your firewall.  You just
have to open it for your dedicated server.  


-----Message d'origine-----
De : David Gillett [mailto:gillettdavid () fhda edu] 
Envoyé : 17 mars, 2005 15:35
À : incidents () securityfocus com
Objet : RE: Pubstro rash


  Further detail:  I'm being told that all of the compromised workstations
are running 2KPro or NTW.  So that suggests that the attackers are getting
in through a hole that is fixed in XP or its service packs.

> -----Original Message-----
> From: David Gillett [mailto:gillettdavid () fhda edu]
> Sent: Wednesday, March 16, 2005 5:59 PM
> To: 'incidents () securityfocus com'
> Subject: Pubstro rash
>
>
>   A few times in the past, someone has managed to break
> into one or another of our servers and set up an FTP server
> ("pubstro") on an unused high port.  I'm facing something
> similar at the moment, but there are some distinct differences:
>
> 1.  The compromised hosts are workstations, not servers.
> I'm hoping our field techs will be able to identify a
> common OS/SP level amongst the compromised machines.  No
> servers appear to be affected.
>
> 2.  There have been 14 of them in less than 5 days.  OUCH.
>
> 3.  Instead of a random high port, the installed FTP server
> listens on port 53.  Which I can't block, because DNS may
> need to use it, right?
>
> 4.  The FTP banners all claim to be the work of "Droppunx".
>
> 5.  At this point, I don't know how the machines are getting
> compromised initially.  I'd appreciate if anyone else is seeing
> this pattern and has some insight they'd care to share.
>
> David Gillett