Security Incidents mailing list archives

RPC-Spam issue, was => RE:

From: H C <keydet89 () yahoo com>
Date: Tue, 15 Oct 2002 12:01:44 -0700 (PDT)

Daniel, 

You may not be that far off at all...

We are in the same boat, We have udp/tcp 135-139 and
445 blocked but we still see the spam. We have
identified 2 hosts on campus 1 is a Linux box
running RedHat 7.3 the other seems to be a Win2k
box. I've done a quick check of the Linux box but it
doesn't appear to be compromised, one thing I did
notice from external scanning is that RPC on the
Linux box is not configured correctly and allows
forwarding of RPC requests.


Could be.

I've not checked the
windows box yet but I was thinking maybe the
requests where being forwarded from outside the
campus network to hosts inside via these
misconfigured RPC installations. Any thoughts? Am I
way off base here?


As far as the Win2K system goes, check it carefully
for running processes...if you need a recommendation
for tools to use, or help in decyphering the info you
get, let me know.  

If these two systems are behind your f/w, and your f/w
blocks the ports (445 isn't used in this, per se),
then I don't see how the messages can be forwarded
from outside the network and routed through these two
machines.  Rather, you might check for scripts or
executables that are running on the systems.

One way to do this is to find a couple of words or a
phrase that seems unique to the message, and then
search *all* files on the system for that...including
exe and dll files.  

As far as the routing goes, you'd have to do some
packet captures to explicitly prove or disprove the
hypothesis.

My concern is that this sort of capability will start
showing up in spyware/malware.


__________________________________________________
Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos & More
http://faith.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

RE: Hay,Daniel (Oct 15)
- RE: Hugo van der Kooij (Oct 15)
  - Cacheflow proxy abuse (was: no subject) Alain Fauconnet (Oct 16)
    - Re: Cacheflow proxy abuse (was: no subject) Hugo van der Kooij (Oct 16)
- RE: popup msg spamming Pavel Kankovsky (Oct 15)
- RPC-Spam issue, was => RE: H C (Oct 15)
- RE: T. Willner, Elitetraderz.com (Oct 16)
- Re: Gary Flynn (Oct 16)