Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing??

["H. Morrow Long" <morrow.long () YALE EDU>]

Don't know if you saw the story in the Chronicle last week
(http://chronicle.com/daily/2003/08/2003080801t.htm)
here is news from Berkeley and Stanford (from Security Wire Digest).

Norton has recently released a "fix tool" for the "Stealther/WinShell"
trojan/worm/rootkit combo which we saw in the northeast.

Morrow

WINDOWS RPC FLAW EXPLOITED IN CAMPUS HACKER ATTACKS
California universities are among the first public victims of the Windows
Remote Procedure Call (RPC) protocol flaw, which allows an attacker to run
code of choice on a compromised system.

Cedric Bennett, director of information security at Stanford University,
says 2,400 of his school's computers were tainted with deeply imbedded
code. The unauthorized code, which Bennett declined to describe in detail,
will have to be manually removed, a process that could take several hours
for each compromised machine.

According to a news release, Bennett suspects that the university
computers were infected by a laptop brought in from the outside and then
connected to the university network.

More than 100 computers were also compromised at the University of
California at Berkeley. Fearing that "tens of thousands" of PCs might not
be patched against the RPC flaw, the university instituted a campus-wide
network port shutdown. The RFC exploit uses port 135, 139 or 445 or any
other specifically configured RPC port. Only a handful of servers have
been exempted at the request of their administrators.

Experts last month began warning of the RPC flaw in almost all versions of
Windows. A patch has been issued, but exploit code, including bots that
scan for the flaw, have proliferated online.

"We expected this to start happening sooner," says Dan Ingevaldson,
Internet Security Systems (ISS) X-Force engineering manager, adding that
the attacks are likely "the start of something more."

Ingevaldson says college networks are logical early targets because they
often have numerous unprotected computers. He suspects the installed code
is most likely aimed at enabling the machines to be used in
denial-of-service attacks or for stolen bandwidth to download pirated
movies or music.

Ingevaldson says it's impossible to predict what will happen next, but he
believes ISPs are unlikely to actively filter the vulnerable port because
it will impede e-mail and other applications. The best defense is applying
the patch, he says.
http://windowsupdate.microsoft.com
http://news-service.stanford.edu/news/2003/august20/hackers-820.html
http://www.berkeley.edu/news/media/releases/2003/08/04_pcpatch.shtml

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.