Educause Security Discussion mailing list archives
Re: DShield and Symantec report MSBlast in wild
From: Marty Hoag <Marty.Hoag () NDSU NODAK EDU>
Date: Tue, 12 Aug 2003 13:35:28 -0500
We've had some annecdotal reports of systems crashing and doing other weird stuff since yesterday. In at least one case this was "corrected" when they finally patched the RPC vulnerability (they thought they had done that a couple weeks ago but...). Anyway, we have been blocking TFTP (UDP port 69) for a long time and I wonder if the remote shell is stalling when it tries to fire that up tftp to get msblast and this causes instabilities. (In other words the RPC vulnerability is being used to set up the remote shell on port 4444 to execute the tftp command). But I also read on the Symantec analysis that there is an 80% chance of the worm using the XP offset and 20% using 2000. So what happens when it tries to compromise "the other" system. Does it just fail? Does it cause a problem on the attacked system? (I guess I'm assuming the offset is in the exploit being sent to port 135 but I'm not sure). The Symantec info is at https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pdf marty ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- DShield and Symantec report MSBlast in wild Phil Rodrigues (Aug 11)
- <Possible follow-ups>
- Re: DShield and Symantec report MSBlast in wild Marty Hoag (Aug 12)
- Re: DShield and Symantec report MSBlast in wild Jim Moore (Aug 12)
- Re: DShield and Symantec report MSBlast in wild Phil Rodrigues (Aug 13)
- Re: DShield and Symantec report MSBlast in wild Marty Hoag (Aug 13)
- Re: DShield and Symantec report MSBlast in wild Doug Sandford (Aug 13)
- Re: DShield and Symantec report MSBlast in wild Michelle Mueller (Aug 14)