nanog mailing list archives
Re: RPC errors and latest worm
From: "Stewart, William C (Bill), RTSLS" <billstewart () att com>
Date: Mon, 11 Aug 2003 18:37:11 -0500
According to http://isc.sans.org/diary.html?date=2003-08-11 , the worm uses the latest popular MS exploit ports, so " * Close port 135/tcp (and if possible 135-139, 445 and 593) ". It also uses TCP port 4444 and TFTP = UDP 69 to download its attack code after getting the initial bootstrap infection. So you probably want to be blocking TCP 4444 and (if appropriate, which it usually is, TFTP), and tracing any 4444 activity and TFTPs to detect attacks.
Current thread:
- Re: RPC errors and latest worm Stewart, William C (Bill), RTSLS (Aug 11)
- Re: RPC errors and latest worm Scott Fendley (Aug 11)
- <Possible follow-ups>
- Re: RPC errors and latest worm Kevin Loch (Aug 11)