Educause Security Discussion mailing list archives

Re: A worm exploiting RPC

From: "Bruhn, Mark S." <mbruhn () INDIANA EDU>
Date: Mon, 11 Aug 2003 20:08:59 -0500

Geez.  Thanks.

Well, either I didn't pay attention, or they added a boatload of stuff
to that since I read it earlier.  Good thing we have other technical
people working on this!

-- 
Mark S. Bruhn, CISSP, CISM

Chief IT Security and Policy Officer
Interim Director, Research and Educational Networking Information
Sharing and Analysis Center (ren-isac () iu edu)

Office of the Vice President for Information Technology and CIO
Indiana University
812-855-0326

Incidents involving IU IT resources: it-incident () iu edu
Complaints/kudos about OVPIT/UITS services: itombuds () iu edu




-----Original Message-----
From: Phil Rodrigues [mailto:Phil.Rodrigues () UCONN EDU] 
Sent: Monday, August 11, 2003 8:03 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] A worm exploiting RPC


http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm
.html

"You should block access to TCP port 4444 at the firewall level, and
block
the following ports, if they do not use the applicaitons [SIC] listed:

TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP""

Phil

=======================================
Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues () uconn edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu
=======================================





"Bruhn, Mark S." <mbruhn () INDIANA EDU>
Sent by: The EDUCAUSE Security Discussion Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>
08/11/2003 09:00 PM
Please respond to The EDUCAUSE Security Discussion Group Listserv


        To:     SECURITY () LISTSERV EDUCAUSE EDU
        cc:
        Subject:        Re: [SECURITY] A worm exploiting RPC


We've had tftp/udp/69 blocked forever.

I haven't seen reference to 4444, and the NOC didn't report any traffic
on that -- I'm asking hereabouts.

--
Mark S. Bruhn, CISSP, CISM

Chief IT Security and Policy Officer
Interim Director, Research and Educational Networking Information
Sharing and Analysis Center (ren-isac () iu edu)

Office of the Vice President for Information Technology and CIO
Indiana University
812-855-0326

Incidents involving IU IT resources: it-incident () iu edu
Complaints/kudos about OVPIT/UITS services: itombuds () iu edu




-----Original Message-----
From: Jack Suess [mailto:jack () UMBC EDU]
Sent: Monday, August 11, 2003 7:44 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] A worm exploiting RPC


In looking at this at UMBC it appears from our logs to be trying to
connect back through tftp on port 4444 to download the payload. Has
anyone
else noticed this behavior? We do not know if there are multiple
versions
but we have blocked 4444 outbound as a precaution right now.

jack suess
CIO

On Mon, 11 Aug 2003, Bruhn, Mark S. wrote:

If it's visible above the standard Abilene noise, you're more than
likely going to be joined by a lot more sites before the night is

over.


For those of you still fortifying and/or without a good info source,
take a look at http://xforce.iss.net/xforce/alerts/id/150.

M.

--
Mark S. Bruhn, CISSP, CISM

Chief IT Security and Policy Officer
Interim Director, Research and Educational Networking Information
Sharing and Analysis Center (ren-isac () iu edu)

Office of the Vice President for Information Technology and CIO
Indiana University
812-855-0326

Incidents involving IU IT resources: it-incident () iu edu
Complaints/kudos about OVPIT/UITS services: itombuds () iu edu




-----Original Message-----
From: Pat Wilson [mailto:paw () noh ucsd edu]
Sent: Monday, August 11, 2003 5:29 PM
To: Bruhn, Mark S.
Cc: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] A worm exploiting RPC



Umm - welcome to the party?  This has been hammering us since
1030 PDT.  We've blocked our outbound 135 traffic (inbound was
already blocked, so it came in on a laptop or something).

See
        http://isc.sans.org/diary.html?date=2003-08-11
for current thought.


Pat Wilson
Network Security Manager
UCSD ACS/Network Operations
paw () ucsd edu
6F3A AE75 F931 3A19 D207 19F3 DB9B 29DC 2C3F E015


        From owner-security () LISTSERV EDUCAUSE EDU  Mon Aug 11 15:22:05
2003
        X-MimeOLE: Produced By Microsoft Exchange V6.0.6375.0
        content-class: urn:content-classes:message
        MIME-Version: 1.0
        Content-Type: text/plain; charset="us-ascii"
        X-MS-Has-Attach:
        X-MS-TNEF-Correlator:
        Thread-Topic: A worm exploiting RPC
        Thread-Index: AcNgVvi7KT/xLUrOTfGzZFGkcvRo7Q==
        X-OriginalArrivalTime: 11 Aug 2003 22:21:30.0738 (UTC)
                               FILETIME=[EA17AD20:01C36056]
        Date:         Mon, 11 Aug 2003 17:21:30 -0500
        Reply-To: The EDUCAUSE Security Discussion Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>
        Sender: The EDUCAUSE Security Discussion Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>
        From: "Bruhn, Mark S." <mbruhn () INDIANA EDU>
        Subject: [SECURITY] A worm exploiting RPC
        To: SECURITY () LISTSERV EDUCAUSE EDU
        Precedence: list
        X-Spamscanner: mailbox3.ucsd.edu  (v1.2 May 26 2003 01:55:38,
0.2/5.0 2.55)
        X-Spam-Level: Level
        X-MailScanner: PASSED (v1.2.7 39716 h7BMM37P043828
mailbox3.ucsd.edu)
        Content-Transfer-Encoding: 8bit
        X-MIME-Autoconverted: from quoted-printable to 8bit by
noh.ucsd.edu id h7BMM5Ed026885

        We're seeing a lot of traffic associated with this on the
Abilene
        backbone, and it's building steam.  You'll want to start

looking

at your
        own netflow data right away, if you have access to it, or
contact your
        upstream provider.  You're looking for outgoing packets to
TCP/135, and
        they appear to be 48 byte packets.

        M.

        --
        Mark S. Bruhn, CISSP, CISM

        Chief IT Security and Policy Officer
        Interim Director, Research and Educational Networking
Information
        Sharing and Analysis Center (ren-isac () iu edu)

        Office of the Vice President for Information Technology and

CIO

        Indiana University
        812-855-0326

        Incidents involving IU IT resources: it-incident () iu edu
        Complaints/kudos about OVPIT/UITS services: itombuds () iu edu

        **********
        Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE

Discussion Group discussion list can be found at
http://www.educause.edu/cg/.


**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

A worm exploiting RPC Bruhn, Mark S. (Aug 11)
- <Possible follow-ups>
- Re: A worm exploiting RPC Bruhn, Mark S. (Aug 11)
- Re: A worm exploiting RPC Jack Suess (Aug 11)
- Re: A worm exploiting RPC Phil Rodrigues (Aug 11)
- Re: A worm exploiting RPC Bruhn, Mark S. (Aug 11)
- Re: A worm exploiting RPC Phil Rodrigues (Aug 11)
- Re: A worm exploiting RPC Bruhn, Mark S. (Aug 11)