Educause Security Discussion mailing list archives

Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing??

From: Ariel Silverstone <ariel.silverstone () TEMPLE EDU>
Date: Mon, 11 Aug 2003 08:59:54 -0400

Hi!

We are using Shavlik to audit our MS based servers, we sent a global
(90000+) email about it and we hardcopy memo circulate to about 27,000 more
individuals.

Thank you,

Ariel Silverstone

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jim Moore
Sent: Friday, August 08, 2003 7:52 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] MS RPC exploits - Scanner-based, worms, etc -
Information Sharing??

Many people saw the article in The Chronicle of Higher Education
"Network Administrators on Campuses Scramble to Fix 'Critical' Security
Flaw in Windows"
By FLORENCE OLSEN
(http://chronicle.com/daily/2003/08/2003080801t.htm)

What are people doing about it?

Beyond the information available at CERT, and Symantec
(Backdoor.IRC.Cirebot), and at the Internet Storm Center (which
describes some snort rules to monitor DCOM traffic).

A command line exploit code for the RPC DCOM problems has been published
at  http://oc192.netfirms.com/, and is simple to compile and execute,
but is manual.  The Full-Disclosure list also had a lot of discussion
and a scanner based attack tool that would walk an IP range.

Most of what we have seen is an exploit of RPC DCOM, then a backdoor
installation, then a patching of the RPC DCOM vulnerability, leaving
only the backdoor.  We are starting to see variants that drop an FTP
server instead of a command prompt backdoor.

It has been reported that virus detection will pick up the "stealther"
version, and even clean it.  It has been reported that the "stealther"
version will remove the registry keys for the operation of virus
detection to operate properly.

Is anyone able to share information?

Jim


--
--
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
Telephone: (585)475-5406
Fax:       (585)475-7950

PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C D0C0

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? Jim Moore (Aug 08)
- <Possible follow-ups>
- Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? H. Morrow Long (Aug 08)
- Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? H. Morrow Long (Aug 11)
- Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? Ariel Silverstone (Aug 11)
- Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? Angel L Cruz (Aug 11)