Educause Security Discussion mailing list archives
Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing??
From: "H. Morrow Long" <morrow.long () YALE EDU>
Date: Mon, 11 Aug 2003 06:38:00 -0400
Don't know if you saw the story in the Chronicle last week (http://chronicle.com/daily/2003/08/2003080801t.htm) here is news from Berkeley and Stanford (from Security Wire Digest). Norton has recently released a "fix tool" for the "Stealther/WinShell" trojan/worm/rootkit combo which we saw in the northeast. Morrow WINDOWS RPC FLAW EXPLOITED IN CAMPUS HACKER ATTACKS California universities are among the first public victims of the Windows Remote Procedure Call (RPC) protocol flaw, which allows an attacker to run code of choice on a compromised system. Cedric Bennett, director of information security at Stanford University, says 2,400 of his school's computers were tainted with deeply imbedded code. The unauthorized code, which Bennett declined to describe in detail, will have to be manually removed, a process that could take several hours for each compromised machine. According to a news release, Bennett suspects that the university computers were infected by a laptop brought in from the outside and then connected to the university network. More than 100 computers were also compromised at the University of California at Berkeley. Fearing that "tens of thousands" of PCs might not be patched against the RPC flaw, the university instituted a campus-wide network port shutdown. The RFC exploit uses port 135, 139 or 445 or any other specifically configured RPC port. Only a handful of servers have been exempted at the request of their administrators. Experts last month began warning of the RPC flaw in almost all versions of Windows. A patch has been issued, but exploit code, including bots that scan for the flaw, have proliferated online. "We expected this to start happening sooner," says Dan Ingevaldson, Internet Security Systems (ISS) X-Force engineering manager, adding that the attacks are likely "the start of something more." Ingevaldson says college networks are logical early targets because they often have numerous unprotected computers. He suspects the installed code is most likely aimed at enabling the machines to be used in denial-of-service attacks or for stolen bandwidth to download pirated movies or music. Ingevaldson says it's impossible to predict what will happen next, but he believes ISPs are unlikely to actively filter the vulnerable port because it will impede e-mail and other applications. The best defense is applying the patch, he says. http://windowsupdate.microsoft.com http://news-service.stanford.edu/news/2003/august20/hackers-820.html http://www.berkeley.edu/news/media/releases/2003/08/04_pcpatch.shtml ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? Jim Moore (Aug 08)
- <Possible follow-ups>
- Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? H. Morrow Long (Aug 08)
- Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? H. Morrow Long (Aug 11)
- Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? Ariel Silverstone (Aug 11)
- Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? Angel L Cruz (Aug 11)