Re: UT/ISO: MS-RPC hacked b0t identification

["Cam Beasley, ISO" <cam () AUSTIN UTEXAS EDU>]

FYI --

for fast banner grabbing for these rogueFTP ports,
you might use Foundstone's free Scanline command
line utility:

usage:
------
sl -bht port[,ports] IP[,IP-IP] -v -o file.dump

# http://www.foundstone.com/resources/proddesc/scanline.htm

~cam.

Cam Beasley
ITS/Information Security Office    
The University of Texas at Austin        
512.475.9242
                  

%>-----Original Message-----
%>From: Cam Beasley, ISO 
%>Sent: Thursday, 31 July, 2003 15:37
%>To: SECURITY () LISTSERV EDUCAUSE EDU
%>Subject: [SECURITY] UT/ISO: MS-RPC hacked b0t identification
%>
%>
%>Colleagues --
%>
%>If you aren't filtering NetBIOS ports (especially 
%>135/tcp,udp) in response to the recent RPC DCOM vuln, you 
%>might want to begin looking for compromised hosts on your networks.
%>
%>These particular ports might be useful:
%>*-others are certainly possible-*
%>
%>RogueFTP servers (grab banners): 
%>1223,6565,22222,45000,48522,64978,65456/TCP
%>        ; usually Serv-U ftp
%>
%>RogueIRC server: 56498/TCP
%>
%>Control channels: 10001,4444,5555,6351,7890/TCP
%>        ; typically rlogin, etc.
%>
%>Might not be a bad idea to use an IDS
%>at your border to monitor for things like
%>non-standard FTP (=!21)..
%>
%>It is also the case that attackers will either disable DCOM
%>or patch the host machine to evade vulnerability scanners
%>and to avoid be back hacked by another team..
%>
%>~cam.
%>
%>Cam Beasley
%>ITS/Information Security Office    
%>The University of Texas at Austin        
%>cam () austin utexa edu
%>                  
%>
%>**********
%>Participation and subscription information for this EDUCAUSE 
%>Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.