RPC-Spam issue, was => RE:

From: H C (keydet89at_private)
Date: Tue Oct 15 2002 - 12:01:44 PDT

Next message: Jonathan A. Zdziarski: "RE: apache problem"

Previous message: Lawrence Baldwin: "RE: Source of Windows PopUp SPAM"
In reply to: Hay,Daniel: "RE:"
Next in thread: T. Willner, Elitetraderz.com: "RE:"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Daniel, 

You may not be that far off at all...

> We are in the same boat, We have udp/tcp 135-139 and
> 445 blocked but we still see the spam. We have
> identified 2 hosts on campus 1 is a Linux box
> running RedHat 7.3 the other seems to be a Win2k
> box. I've done a quick check of the Linux box but it
> doesn't appear to be compromised, one thing I did
> notice from external scanning is that RPC on the
> Linux box is not configured correctly and allows
> forwarding of RPC requests. 

Could be.

> I've not checked the
> windows box yet but I was thinking maybe the
> requests where being forwarded from outside the
> campus network to hosts inside via these
> misconfigured RPC installations. Any thoughts? Am I
> way off base here?

As far as the Win2K system goes, check it carefully
for running processes...if you need a recommendation
for tools to use, or help in decyphering the info you
get, let me know.  

If these two systems are behind your f/w, and your f/w
blocks the ports (445 isn't used in this, per se),
then I don't see how the messages can be forwarded
from outside the network and routed through these two
machines.  Rather, you might check for scripts or
executables that are running on the systems.

One way to do this is to find a couple of words or a
phrase that seems unique to the message, and then
search *all* files on the system for that...including
exe and dll files.  

As far as the routing goes, you'd have to do some
packet captures to explicitly prove or disprove the
hypothesis.

My concern is that this sort of capability will start
showing up in spyware/malware.


__________________________________________________
Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos & More
http://faith.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Jonathan A. Zdziarski: "RE: apache problem"
Previous message: Lawrence Baldwin: "RE: Source of Windows PopUp SPAM"
In reply to: Hay,Daniel: "RE:"
Next in thread: T. Willner, Elitetraderz.com: "RE:"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Oct 15 2002 - 15:56:49 PDT