Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)

From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Thu, 14 Aug 2003 21:40:21 -0500
Be careful of svchost.  ServUFTPD is often renamed svchost.exe to hide
it from less knowledgeable people.  To check to see if you have one
running, search for "svchost.exe" and check the file size.  If you find
one that around 496K, you're running a warez site.  (Normal size is 8 to
14k, depending upon file version.  Fully patched WinXP SP1 is 13k.)

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/


-----Original Message-----
From: Joey [mailto:joey2cool () yahoo com] 
Sent: Wednesday, August 13, 2003 2:56 PM
To: full-disclosure () lists netsys com
Subject: RE: [Full-disclosure] ISS Security Brief: "MS Blast" 
MSRPC DCOM Worm Propagation (fwd)


svchost.exe listens on several ports on windows xp.
If microsoft is saying that it should never be on the
internet, couldn't there be more b0f's discovered in
the future? One peculiar service "DNS Client",
although listening on a few random ports just about
1024, also runs off of svchost.exe.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: