Full Disclosure mailing list archives
Re: Probable new MS DCOM RPC worm for Windows
From: "phlox" <phlox () comcast net>
Date: Sat, 20 Sep 2003 16:50:32 -0700
It can be people with autorooters, using it from unix shells, or windows boxes.. doesnt have to be a worm... technically.. you can spread a trojan just as fast with a scanner.. if not faster then a worm.. -phlox ----- Original Message ----- From: "Richard Johnson" <rnews () whirlpool river com> To: <full-disclosure () lists netsys com>; <incidents () securityfocus com> Sent: Saturday, September 20, 2003 1:41 PM Subject: [Full-disclosure] Probable new MS DCOM RPC worm for Windows
We've noticed increased scan activity on port 135, ramping up over the past 20 hours. The scanning appears to concentrate on nearby /16s. For example, when the source host has IP in 10.117.68.0/24, we've seen scanning of at least single /24s within 10.114.0.0/16, 10.118.0.0/16 and 10.116.0.0/16, and nowhere else yet. We've also had 2nd-hand reports of svchost.exe being killed on hosts being attacked, causing downloading patches during the attack to fail. Also, at least two dialup links are being flooded into uselessness by the scan traffic from others nearby. Richard ------- Example headers: Sep 19 17:21:48.356841 0800 62: 10.117.68.93.1912 > 10.114.18.21.135: S
2922514106:2922514106(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
... Sep 19 20:35:19.248342 0800 62: 10.117.68.81.2195 > 10.118.2.146.135: S
1536913838:1536913838(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
... Sep 20 13:55:15.440811 0800 62: 10.117.68.50.1914 > 10.116.132.184.135: S
3274268792:3274268792(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
-- To reply via email, make sure you don't enter the whirlpool on river left. My mailbox. My property. My personal space. My rules. Deal with it. http://www.river.com/users/share/cluetrain/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Probable new MS DCOM RPC worm for Windows Richard Johnson (Sep 20)
- Re: Probable new MS DCOM RPC worm for Windows phlox (Sep 20)
- Re: Probable new MS DCOM RPC worm for Windows Richard Johnson (Sep 24)
- <Possible follow-ups>
- RE: Probable new MS DCOM RPC worm for Windows Schmehl, Paul L (Sep 25)
- Re: RE: Probable new MS DCOM RPC worm for Windows Cael Abal (Sep 25)
- Re: RE: Probable new MS DCOM RPC worm for Windows Gregory A. Gilliss (Sep 25)
- RE: Probable new MS DCOM RPC worm for Windows Derek Vadala (Sep 25)
- Re: RE: Probable new MS DCOM RPC worm for Windows Exibar (Sep 25)
- Re: RE: Probable new MS DCOM RPC worm for Windows Cael Abal (Sep 25)
- RE: RE: Probable new MS DCOM RPC worm for Windows Robert Ahnemann (Sep 25)
- RE: Probable new MS DCOM RPC worm for Windows Williams Jon (Sep 25)
- Re: RE: Probable new MS DCOM RPC worm for Windows Paul Farrow (Sep 25)
- Re: RE: Probable new MS DCOM RPC worm for Windows Jordan Wiens (Sep 25)
- Re: RE: Probable new MS DCOM RPC worm for Windows Paul Farrow (Sep 25)
(Thread continues...)