Re: New attack against port 135?

[Andrew D Kirch <trelane () 2mbit com>]

The kiddies have finally exploited the RPC SS/RPC DCOMII exploits that microsoft patched after internal auditing. I 
first got word of a working exploit about a week ago, but no real confirmation, and I put very little creedance in 
"<kiddie> I hax0rz your b0x3n!" then scanning went exponentially through the roof.  So it lookss like the kiddie's 
right, I doubt there's a virus perse, more like kiddies hunting for vulnerable boxes to install DDoS trojans on.  
Anyone who honeypots one of these scans and gets a trojan please notify me and forward it, it would be most helpful. 
(Also obviously forward to Symantec et al.)


On Fri, 10 Oct 2003 13:26:58 -0400
Peter John Hill <peterjhill () cmu edu> wrote:

> I am seeing lots of scanning of port 135 on my network. 66 byte long packets. Anyone have a name for this? It is less 
> aggressive than the welchia 
> scans I have seen. Seems to scan at about 3000 or so flows per 5 minutes.
>
> Thanks
> Peter Hill
> Network Engineer
> Carnegie Mellon


-- 

Andrew D Kirch  |           trelane () 2mbit com            | 
Security Admin  |  Summit Open Source Development Group  | www.sosdg.org