Educause Security Discussion mailing list archives
Re: UT/ISO: MS-RPC hacked b0t identification
From: "Cam Beasley, ISO" <cam () AUSTIN UTEXAS EDU>
Date: Thu, 31 Jul 2003 16:43:53 -0500
FYI -- for fast banner grabbing for these rogueFTP ports, you might use Foundstone's free Scanline command line utility: usage: ------ sl -bht port[,ports] IP[,IP-IP] -v -o file.dump # http://www.foundstone.com/resources/proddesc/scanline.htm ~cam. Cam Beasley ITS/Information Security Office The University of Texas at Austin 512.475.9242 %>-----Original Message----- %>From: Cam Beasley, ISO %>Sent: Thursday, 31 July, 2003 15:37 %>To: SECURITY () LISTSERV EDUCAUSE EDU %>Subject: [SECURITY] UT/ISO: MS-RPC hacked b0t identification %> %> %>Colleagues -- %> %>If you aren't filtering NetBIOS ports (especially %>135/tcp,udp) in response to the recent RPC DCOM vuln, you %>might want to begin looking for compromised hosts on your networks. %> %>These particular ports might be useful: %>*-others are certainly possible-* %> %>RogueFTP servers (grab banners): %>1223,6565,22222,45000,48522,64978,65456/TCP %> ; usually Serv-U ftp %> %>RogueIRC server: 56498/TCP %> %>Control channels: 10001,4444,5555,6351,7890/TCP %> ; typically rlogin, etc. %> %>Might not be a bad idea to use an IDS %>at your border to monitor for things like %>non-standard FTP (=!21).. %> %>It is also the case that attackers will either disable DCOM %>or patch the host machine to evade vulnerability scanners %>and to avoid be back hacked by another team.. %> %>~cam. %> %>Cam Beasley %>ITS/Information Security Office %>The University of Texas at Austin %>cam () austin utexa edu %> %> %>********** %>Participation and subscription information for this EDUCAUSE %>Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- UT/ISO: MS-RPC hacked b0t identification Cam Beasley, ISO (Jul 31)
- <Possible follow-ups>
- Re: UT/ISO: MS-RPC hacked b0t identification Cam Beasley, ISO (Jul 31)