Educause Security Discussion mailing list archives
Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing??
From: Ariel Silverstone <ariel.silverstone () TEMPLE EDU>
Date: Mon, 11 Aug 2003 08:59:54 -0400
Hi! We are using Shavlik to audit our MS based servers, we sent a global (90000+) email about it and we hardcopy memo circulate to about 27,000 more individuals. Thank you, Ariel Silverstone -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jim Moore Sent: Friday, August 08, 2003 7:52 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? Many people saw the article in The Chronicle of Higher Education "Network Administrators on Campuses Scramble to Fix 'Critical' Security Flaw in Windows" By FLORENCE OLSEN (http://chronicle.com/daily/2003/08/2003080801t.htm) What are people doing about it? Beyond the information available at CERT, and Symantec (Backdoor.IRC.Cirebot), and at the Internet Storm Center (which describes some snort rules to monitor DCOM traffic). A command line exploit code for the RPC DCOM problems has been published at http://oc192.netfirms.com/, and is simple to compile and execute, but is manual. The Full-Disclosure list also had a lot of discussion and a scanner based attack tool that would walk an IP range. Most of what we have seen is an exploit of RPC DCOM, then a backdoor installation, then a patching of the RPC DCOM vulnerability, leaving only the backdoor. We are starting to see variants that drop an FTP server instead of a command prompt backdoor. It has been reported that virus detection will pick up the "stealther" version, and even clean it. It has been reported that the "stealther" version will remove the registry keys for the operation of virus detection to operate properly. Is anyone able to share information? Jim -- -- Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 Telephone: (585)475-5406 Fax: (585)475-7950 PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C D0C0 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? Jim Moore (Aug 08)
- <Possible follow-ups>
- Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? H. Morrow Long (Aug 08)
- Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? H. Morrow Long (Aug 11)
- Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? Ariel Silverstone (Aug 11)
- Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? Angel L Cruz (Aug 11)