Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DShield and Symantec report MSBlast in wild

From: Marty Hoag <Marty.Hoag () NDSU NODAK EDU>
Date: Tue, 12 Aug 2003 13:35:28 -0500
   We've had some annecdotal reports of systems crashing and
doing other weird stuff since yesterday. In at least one
case this was "corrected" when they finally patched the
RPC vulnerability (they thought they had done that a
couple weeks ago but...).

   Anyway, we have been blocking TFTP (UDP port 69) for
a long time and I wonder if the remote shell is stalling
when it tries to fire that up tftp to get msblast and this
causes instabilities. (In other words the RPC vulnerability
is being used to set up the remote shell on port 4444 to
execute the tftp command).

   But I also read on the Symantec analysis that there
is an 80% chance of the worm using the XP offset and
20% using 2000.  So what happens when it tries to
compromise "the other" system. Does it just fail?
Does it cause a problem on the attacked system?
(I guess I'm assuming the offset is in the exploit
being sent to port 135 but I'm not sure).  The
Symantec info is at
https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pdf

   marty

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: