Full Disclosure mailing list archives
RE: DCOM RPC exploit (dcom.c)
From: "Andy Wood" <andy () digitalindustry org>
Date: Tue, 29 Jul 2003 21:29:50 -0400
FYI, Incidents.org reports: "Widespread scans for unpatched Windows machines underway (RPC vulnerability). Patch systems and block ports 135-139 & 445".
NetBIOS Scans haven't necessarily increased. I can't believe that
any port is more sought out than NetBIOS. I see 139 and 445 more than any
other port, and it has been that way for more than 2 years. But it isn't
without good reason....if you get probed for 139 or 445, probe back; 8 out
of 10 times it is open, and that system is infected with a worm. Then hit
'em with a smbclient or Winfingerprint, get that password policy and
username/share list, find the weak password and welcome to their
network......or dcom.c, that works too.
Andy
-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Knud Erik
Højgaard
Sent: Tuesday, July 29, 2003 8:14 PM
To: Peter Kruse; full-disclosure () lists netsys com
Peter Kruse wrote:
FYI, Incidents.org reports: "Widespread scans for unpatched Windows machines underway (RPC vulnerability). Patch systems and block ports 135-139 & 445". This might be caused by several tools in the hands of kiddies probing IP´s for vulnerable systems. This could also be caused by a worm making it´s first round crashing and exploiting boxes. I guess time will tell.
when it strikes, it won't be silent.
BTW - nothing here, it´s all quite around my firewalls.
quiets? wait and see. -- kokasviiijn _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.504 / Virus Database: 302 - Release Date: 7/24/2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.504 / Virus Database: 302 - Release Date: 7/24/2003 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: DCOM RPC exploit (dcom.c), (continued)
- RE: DCOM RPC exploit (dcom.c) Schmehl, Paul L (Jul 29)
- Re: DCOM RPC exploit (dcom.c) Robert Banniza (Jul 29)
- Re: DCOM RPC exploit (dcom.c) Preston Newton (Jul 30)
- RE: DCOM RPC exploit (dcom.c) Ron DuFresne (Jul 29)
- Re: DCOM RPC exploit (dcom.c) Robert Banniza (Jul 29)
- RE: DCOM RPC exploit (dcom.c) Schmehl, Paul L (Jul 29)
- Re: DCOM RPC exploit (dcom.c) Kain (Jul 29)
- RE: DCOM RPC exploit (dcom.c) Myers, Marvin (Jul 29)
- RE: DCOM RPC exploit (dcom.c) Schmehl, Paul L (Jul 29)
- SV: DCOM RPC exploit (dcom.c) Peter Kruse (Jul 29)
- Re: DCOM RPC exploit (dcom.c) Knud Erik Højgaard (Jul 29)
- RE: DCOM RPC exploit (dcom.c) Andy Wood (Jul 29)
- RE: DCOM RPC exploit (dcom.c) Tom H (Jul 29)
- DCOM RPC - DEVESTATING IN SCOPE morning_wood (Jul 30)
- RE: DCOM RPC exploit (dcom.c) Mortis (Jul 30)
- SV: DCOM RPC exploit (dcom.c) Peter Kruse (Jul 29)
- RE: DCOM RPC exploit (dcom.c) Schmehl, Paul L (Jul 29)