Educause Security Discussion mailing list archives
Re: A worm exploiting RPC
From: "Bruhn, Mark S." <mbruhn () INDIANA EDU>
Date: Mon, 11 Aug 2003 18:24:17 -0500
If it's visible above the standard Abilene noise, you're more than likely going to be joined by a lot more sites before the night is over. For those of you still fortifying and/or without a good info source, take a look at http://xforce.iss.net/xforce/alerts/id/150. M. -- Mark S. Bruhn, CISSP, CISM Chief IT Security and Policy Officer Interim Director, Research and Educational Networking Information Sharing and Analysis Center (ren-isac () iu edu) Office of the Vice President for Information Technology and CIO Indiana University 812-855-0326 Incidents involving IU IT resources: it-incident () iu edu Complaints/kudos about OVPIT/UITS services: itombuds () iu edu -----Original Message----- From: Pat Wilson [mailto:paw () noh ucsd edu] Sent: Monday, August 11, 2003 5:29 PM To: Bruhn, Mark S. Cc: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] A worm exploiting RPC Umm - welcome to the party? This has been hammering us since 1030 PDT. We've blocked our outbound 135 traffic (inbound was already blocked, so it came in on a laptop or something). See http://isc.sans.org/diary.html?date=2003-08-11 for current thought. Pat Wilson Network Security Manager UCSD ACS/Network Operations paw () ucsd edu 6F3A AE75 F931 3A19 D207 19F3 DB9B 29DC 2C3F E015 From owner-security () LISTSERV EDUCAUSE EDU Mon Aug 11 15:22:05 2003 X-MimeOLE: Produced By Microsoft Exchange V6.0.6375.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: A worm exploiting RPC Thread-Index: AcNgVvi7KT/xLUrOTfGzZFGkcvRo7Q== X-OriginalArrivalTime: 11 Aug 2003 22:21:30.0738 (UTC) FILETIME=[EA17AD20:01C36056] Date: Mon, 11 Aug 2003 17:21:30 -0500 Reply-To: The EDUCAUSE Security Discussion Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Sender: The EDUCAUSE Security Discussion Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> From: "Bruhn, Mark S." <mbruhn () INDIANA EDU> Subject: [SECURITY] A worm exploiting RPC To: SECURITY () LISTSERV EDUCAUSE EDU Precedence: list X-Spamscanner: mailbox3.ucsd.edu (v1.2 May 26 2003 01:55:38, 0.2/5.0 2.55) X-Spam-Level: Level X-MailScanner: PASSED (v1.2.7 39716 h7BMM37P043828 mailbox3.ucsd.edu) Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by noh.ucsd.edu id h7BMM5Ed026885 We're seeing a lot of traffic associated with this on the Abilene backbone, and it's building steam. You'll want to start looking at your own netflow data right away, if you have access to it, or contact your upstream provider. You're looking for outgoing packets to TCP/135, and they appear to be 48 byte packets. M. -- Mark S. Bruhn, CISSP, CISM Chief IT Security and Policy Officer Interim Director, Research and Educational Networking Information Sharing and Analysis Center (ren-isac () iu edu) Office of the Vice President for Information Technology and CIO Indiana University 812-855-0326 Incidents involving IU IT resources: it-incident () iu edu Complaints/kudos about OVPIT/UITS services: itombuds () iu edu ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- A worm exploiting RPC Bruhn, Mark S. (Aug 11)
- <Possible follow-ups>
- Re: A worm exploiting RPC Bruhn, Mark S. (Aug 11)
- Re: A worm exploiting RPC Jack Suess (Aug 11)
- Re: A worm exploiting RPC Phil Rodrigues (Aug 11)
- Re: A worm exploiting RPC Bruhn, Mark S. (Aug 11)
- Re: A worm exploiting RPC Phil Rodrigues (Aug 11)
- Re: A worm exploiting RPC Bruhn, Mark S. (Aug 11)