Full Disclosure mailing list archives

Re: Probable new MS DCOM RPC worm for Windows

From: "phlox" <phlox () comcast net>
Date: Sat, 20 Sep 2003 16:50:32 -0700

It can be people with autorooters, using it from unix shells, or windows
boxes.. doesnt have to be a worm... technically.. you can spread a trojan
just as fast with a scanner.. if not faster then a worm..

-phlox

----- Original Message ----- 
From: "Richard Johnson" <rnews () whirlpool river com>
To: <full-disclosure () lists netsys com>; <incidents () securityfocus com>
Sent: Saturday, September 20, 2003 1:41 PM
Subject: [Full-disclosure] Probable new MS DCOM RPC worm for Windows

We've noticed increased scan activity on port 135, ramping up over the
past 20 hours.

The scanning appears to concentrate on nearby /16s.  For example, when
the source host has IP in 10.117.68.0/24, we've seen scanning of at
least single /24s within 10.114.0.0/16, 10.118.0.0/16 and
10.116.0.0/16, and nowhere else yet.

We've also had 2nd-hand reports of svchost.exe being killed on hosts
being attacked, causing downloading patches during the attack to fail.
Also, at least two dialup links are being flooded into uselessness by
the scan traffic from others nearby.


Richard

-------
Example headers:

Sep 19 17:21:48.356841 0800 62: 10.117.68.93.1912 > 10.114.18.21.135: S

2922514106:2922514106(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)

...
Sep 19 20:35:19.248342 0800 62: 10.117.68.81.2195 > 10.118.2.146.135: S

1536913838:1536913838(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)

...
Sep 20 13:55:15.440811 0800 62: 10.117.68.50.1914 > 10.116.132.184.135: S

3274268792:3274268792(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)


-- 
To reply via email, make sure you don't enter the whirlpool on river left.

My mailbox. My property. My personal space. My rules. Deal with it.
                        http://www.river.com/users/share/cluetrain/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Probable new MS DCOM RPC worm for Windows Richard Johnson (Sep 20)
- Re: Probable new MS DCOM RPC worm for Windows phlox (Sep 20)
- Re: Probable new MS DCOM RPC worm for Windows Richard Johnson (Sep 24)
- <Possible follow-ups>
- RE: Probable new MS DCOM RPC worm for Windows Schmehl, Paul L (Sep 25)
  - Re: RE: Probable new MS DCOM RPC worm for Windows Cael Abal (Sep 25)
    - Re: RE: Probable new MS DCOM RPC worm for Windows Gregory A. Gilliss (Sep 25)
  - RE: Probable new MS DCOM RPC worm for Windows Derek Vadala (Sep 25)
    - Re: RE: Probable new MS DCOM RPC worm for Windows Exibar (Sep 25)
- RE: RE: Probable new MS DCOM RPC worm for Windows Robert Ahnemann (Sep 25)
- RE: Probable new MS DCOM RPC worm for Windows Williams Jon (Sep 25)
  - Re: RE: Probable new MS DCOM RPC worm for Windows Paul Farrow (Sep 25)
    - Re: RE: Probable new MS DCOM RPC worm for Windows Jordan Wiens (Sep 25)

(Thread continues...)