Re: DCOM Worm released

[Jordan Wiens <jwiens () nersp nerdc ufl edu>]

I can confirm that on our currently running network with IDS and flow
data.  TFTP is from the attacking source, not from any centralized
servers.

-- 
Jordan Wiens, CISSP
UF Network Incident Response Team
(352)392-2061

On Mon, 11 Aug 2003, Dennis Opacki wrote:

> Never mind. SANS now indicates:
>
> Infection sequence:
>
> 1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit
>    to TARGET
> 2. this causes a remote shell on port 4444 at the TARGET
> 3. the SOURCE now sends the tftp get command to the TARGET, using the
>    shell on port 4444,
> 4. the target will now connect to the tftp server at the SOURCE.
>
>
> On Mon, 11 Aug 2003, Dennis Opacki wrote:
>
> > Can anyone confirm whether the tftp transfers appear to be solely from the
> > hosts listed in the initial sans.org note (which now appear to have been
> > taken down), or is the transfer done from the infecting host?
> >
> > TIA,
> >
> > -Dennis
> >
> > On Mon, 11 Aug 2003, Joey wrote:
> >
> > > They found a worm, but since it uses tftp servers that
> > > can be taken down and since tftp is slow, it shouldnt
> > > have much of an effect.
> > >
> > > "Scans sequentially for machines with open port 135,
> > > starting at a presumably random IP address" - very
> > > stupid way to spread!
> > >
> > > http://isc.sans.org/diary.html?date=2003-08-11
> > >
> > > __________________________________
> > > Do you Yahoo!?
> > > Yahoo! SiteBuilder - Free, easy-to-use web site design software
> > > http://sitebuilder.yahoo.com
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.netsys.com/full-disclosure-charter.html
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html