Full Disclosure mailing list archives
Re: DCOM RPC exploit (dcom.c)
From: Paul Schmehl <pauls () utdallas edu>
Date: 27 Jul 2003 10:42:04 -0500
On Sun, 2003-07-27 at 01:30, Ron DuFresne wrote:
You can't firewall 135 inside your network or you'd have no network.but, you can at the outgouing gateway, as well as log the events there to help in locating inside infections. Slammer and some of the other recent worms giving a good headsup to folks that filtering is indeed not a one way proposition. ingress as well as egress filtering has been something strongly advocated for quite sometime. If an internal network gets so infected that it;s clogging the outgooing gateway chokepoint, then it's time to take that network 'offline' from the rest of the internet and cleanup. Unless the company line on this is open all ports and let the rest of the world fend for themselves while we try and cleanup this mess, which was the decision on a number of places during recent worm exploits and not limited to slammer.
How does *any* of what you've said lessen the pain of having to clean up the mess created by these worms. We block 135 in both directions, but that doesn't stop the worm from forcing us to play whack a mole again, on the inside. Even using SMS, SUS and login scripts to distribute patches *and* an aggressive educational program doesn't guarantee 100% coverage of patches. -- Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: DCOM RPC exploit (dcom.c), (continued)
- Re: DCOM RPC exploit (dcom.c) Chris Paget (Jul 26)
- Re: DCOM RPC exploit (dcom.c) Len Rose (Jul 26)
- Re: DCOM RPC exploit (dcom.c) Chris Paget (Jul 26)
- Re: DCOM RPC exploit (dcom.c) morning_wood (Jul 26)
- Re: DCOM RPC exploit (dcom.c) Shanphen Dawa (Jul 26)
- Re: DCOM RPC exploit (dcom.c) morning_wood (Jul 26)
- Re: DCOM RPC exploit (dcom.c) Len Rose (Jul 26)
- Re: DCOM RPC exploit (dcom.c) Ron DuFresne (Jul 26)
- Re: DCOM RPC exploit (dcom.c) Paul Schmehl (Jul 26)
- Re: DCOM RPC exploit (dcom.c) Nick FitzGerald (Jul 26)
- Re: DCOM RPC exploit (dcom.c) Ron DuFresne (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Paul Schmehl (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Chris Paget (Jul 26)
- Re: DCOM RPC exploit (dcom.c) Nathan Seven (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Valdis . Kletnieks (Jul 27)
- Re: DCOM RPC exploit (dcom.c) KF (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Valdis . Kletnieks (Jul 26)
- Re: DCOM RPC exploit (dcom.c) manohar singh (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Etaoin Shrdlu (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Nick FitzGerald (Jul 27)
- Re: DCOM RPC exploit (dcom.c) Jean-Baptiste Marchand (Jul 29)
- Re: DCOM RPC exploit (dcom.c) Nick FitzGerald (Jul 29)
- Re: DCOM RPC exploit (dcom.c) gregh (Jul 26)