Educause Security Discussion mailing list archives
Re: A worm exploiting RPC
From: "Bruhn, Mark S." <mbruhn () INDIANA EDU>
Date: Mon, 11 Aug 2003 20:08:59 -0500
Geez. Thanks. Well, either I didn't pay attention, or they added a boatload of stuff to that since I read it earlier. Good thing we have other technical people working on this! -- Mark S. Bruhn, CISSP, CISM Chief IT Security and Policy Officer Interim Director, Research and Educational Networking Information Sharing and Analysis Center (ren-isac () iu edu) Office of the Vice President for Information Technology and CIO Indiana University 812-855-0326 Incidents involving IU IT resources: it-incident () iu edu Complaints/kudos about OVPIT/UITS services: itombuds () iu edu -----Original Message----- From: Phil Rodrigues [mailto:Phil.Rodrigues () UCONN EDU] Sent: Monday, August 11, 2003 8:03 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] A worm exploiting RPC http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm .html "You should block access to TCP port 4444 at the firewall level, and block the following ports, if they do not use the applicaitons [SIC] listed: TCP Port 135, "DCOM RPC" UDP Port 69, "TFTP"" Phil ======================================= Philip A. Rodrigues Network Analyst, UITS University of Connecticut email: phil.rodrigues () uconn edu phone: 860.486.3743 fax: 860.486.6580 web: http://www.security.uconn.edu ======================================= "Bruhn, Mark S." <mbruhn () INDIANA EDU> Sent by: The EDUCAUSE Security Discussion Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> 08/11/2003 09:00 PM Please respond to The EDUCAUSE Security Discussion Group Listserv To: SECURITY () LISTSERV EDUCAUSE EDU cc: Subject: Re: [SECURITY] A worm exploiting RPC We've had tftp/udp/69 blocked forever. I haven't seen reference to 4444, and the NOC didn't report any traffic on that -- I'm asking hereabouts. -- Mark S. Bruhn, CISSP, CISM Chief IT Security and Policy Officer Interim Director, Research and Educational Networking Information Sharing and Analysis Center (ren-isac () iu edu) Office of the Vice President for Information Technology and CIO Indiana University 812-855-0326 Incidents involving IU IT resources: it-incident () iu edu Complaints/kudos about OVPIT/UITS services: itombuds () iu edu -----Original Message----- From: Jack Suess [mailto:jack () UMBC EDU] Sent: Monday, August 11, 2003 7:44 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] A worm exploiting RPC In looking at this at UMBC it appears from our logs to be trying to connect back through tftp on port 4444 to download the payload. Has anyone else noticed this behavior? We do not know if there are multiple versions but we have blocked 4444 outbound as a precaution right now. jack suess CIO On Mon, 11 Aug 2003, Bruhn, Mark S. wrote:
If it's visible above the standard Abilene noise, you're more than likely going to be joined by a lot more sites before the night is
over.
For those of you still fortifying and/or without a good info source, take a look at http://xforce.iss.net/xforce/alerts/id/150. M. -- Mark S. Bruhn, CISSP, CISM Chief IT Security and Policy Officer Interim Director, Research and Educational Networking Information Sharing and Analysis Center (ren-isac () iu edu) Office of the Vice President for Information Technology and CIO Indiana University 812-855-0326 Incidents involving IU IT resources: it-incident () iu edu Complaints/kudos about OVPIT/UITS services: itombuds () iu edu -----Original Message----- From: Pat Wilson [mailto:paw () noh ucsd edu] Sent: Monday, August 11, 2003 5:29 PM To: Bruhn, Mark S. Cc: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] A worm exploiting RPC Umm - welcome to the party? This has been hammering us since 1030 PDT. We've blocked our outbound 135 traffic (inbound was already blocked, so it came in on a laptop or something). See http://isc.sans.org/diary.html?date=2003-08-11 for current thought. Pat Wilson Network Security Manager UCSD ACS/Network Operations paw () ucsd edu 6F3A AE75 F931 3A19 D207 19F3 DB9B 29DC 2C3F E015 From owner-security () LISTSERV EDUCAUSE EDU Mon Aug 11 15:22:05 2003 X-MimeOLE: Produced By Microsoft Exchange V6.0.6375.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: A worm exploiting RPC Thread-Index: AcNgVvi7KT/xLUrOTfGzZFGkcvRo7Q== X-OriginalArrivalTime: 11 Aug 2003 22:21:30.0738 (UTC) FILETIME=[EA17AD20:01C36056] Date: Mon, 11 Aug 2003 17:21:30 -0500 Reply-To: The EDUCAUSE Security Discussion Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Sender: The EDUCAUSE Security Discussion Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> From: "Bruhn, Mark S." <mbruhn () INDIANA EDU> Subject: [SECURITY] A worm exploiting RPC To: SECURITY () LISTSERV EDUCAUSE EDU Precedence: list X-Spamscanner: mailbox3.ucsd.edu (v1.2 May 26 2003 01:55:38, 0.2/5.0 2.55) X-Spam-Level: Level X-MailScanner: PASSED (v1.2.7 39716 h7BMM37P043828 mailbox3.ucsd.edu) Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by noh.ucsd.edu id h7BMM5Ed026885 We're seeing a lot of traffic associated with this on the Abilene backbone, and it's building steam. You'll want to start
looking
at your own netflow data right away, if you have access to it, or contact your upstream provider. You're looking for outgoing packets to TCP/135, and they appear to be 48 byte packets. M. -- Mark S. Bruhn, CISSP, CISM Chief IT Security and Policy Officer Interim Director, Research and Educational Networking Information Sharing and Analysis Center (ren-isac () iu edu) Office of the Vice President for Information Technology and
CIO
Indiana University 812-855-0326 Incidents involving IU IT resources: it-incident () iu edu Complaints/kudos about OVPIT/UITS services: itombuds () iu edu ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- A worm exploiting RPC Bruhn, Mark S. (Aug 11)
- <Possible follow-ups>
- Re: A worm exploiting RPC Bruhn, Mark S. (Aug 11)
- Re: A worm exploiting RPC Jack Suess (Aug 11)
- Re: A worm exploiting RPC Phil Rodrigues (Aug 11)
- Re: A worm exploiting RPC Bruhn, Mark S. (Aug 11)
- Re: A worm exploiting RPC Phil Rodrigues (Aug 11)
- Re: A worm exploiting RPC Bruhn, Mark S. (Aug 11)