After a little searching around.... Novell was apparently aware of this exploit, as it has been eliminated with the Win95/98 v3.1 client (now at SP2 as of 10/03/1999). See Novell TID2948363 at http://support.novell.com for details. Have a good weekend!! Michael J. Renner Network/UNIX-PC System Administrator HADCO Lighting, Genlyte-Thomas Group LLC >>> Bruce Dennison <dennis_bat_private> 10/08/1999 16:37:59 >>> FYI, Perhaps this has been reported. I havent seen it. If it has been previously reported, sorry. Consider this a reminder. Novell client opens port 427 TCP. My services file reports this port to be known as 'svrloc'. You can bluescreen Win95/98 with Novell Client versions 3.0 and 3.0.1 by sending a SYN to this port, as you would with 'nmap -sS -p 427 <target>'. This is quite fatal. The only recovery seems to be a power reset. If one uses a spoofed source address, sweeps a hundred or two class C's or so once every several minutes with nmap and a simple script, one could keep large numbers of business and govermental workstations offline for long periods of time. This works well on single machines or with bulk scans. It makes a lot of people very mad very quickly all at once. No one here on the LAN has figured out it was me yet, so I am still alive. I am not the workstation, LAN or Novell person in my shop. Its not my problem to deal with even though I found it. I can not test this any further. The only way I have found to stop it is to remove the Novell Client from my machine. Can someone confirm this? Does anyone have any more or better information on this? thanx, Bruce Dennison
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:07:07 PDT