nanog mailing list archives

Re: RPC errors

From: william () elan net
Date: Mon, 11 Aug 2003 11:05:36 -0700 (PDT)

The following came through dshield which warns about new worm:
---
To: dshieldannounce () dshield org
Subject: [Dshieldannounce] likely RPC worm captured. Moving to infocon 'yellow'

We received a copy of a binary that very much looks
like an RPC worm. Preliminary info:

- scans for port 135 as soon as it starts
  point)

more details will be posted at http://isc.sans.org as
they become available. Please submit code captures
and the like to 'handlers () sans org'

--
SANS - Internet Storm Center
http://isc.sans.org

On Mon, 11 Aug 2003, Jack Bates wrote:


I'm showing signs of an RPC sweep across one of my networks that's 
killing some XP machines (only XP confirmed). How wide spread is this at 
this time. Also, does anyone know if this is just generating a DOS 
symptom or if I should be looking for backdoors in these client systems?

-Jack

Current thread:

RPC errors Jack Bates (Aug 11)
- Re: RPC errors Sean Donelan (Aug 11)
  - Re: RPC errors Jack Bates (Aug 11)
    - Re: RPC errors Dominic J. Eidson (Aug 12)
    - Re: RPC errors Crist Clark (Aug 12)
    - Re: RPC errors Dominic J. Eidson (Aug 12)
  - Re: RPC errors Chris Reining (Aug 11)
- Re: RPC errors /m (Aug 11)
- Re: RPC errors william (Aug 11)
- <Possible follow-ups>
- RE: RPC errors Drew Weaver (Aug 11)
- RE: RPC errors McBurnett, Jim (Aug 11)
- RE: RPC errors Mike Damm (Aug 11)
  - RE: RPC errors Kevin Houle (Aug 11)
- RE: RPC errors Drew Weaver (Aug 11)
- RE: RPC errors Brennan_Murphy (Aug 11)
- Re: RPC errors John Dvorak (Aug 11)
  - RE: RPC errors Bob German (Aug 11)
  - Re: RPC errors Michael Painter (Aug 11)
- RE: RPC errors Brennan_Murphy (Aug 11)

(Thread continues...)