Re: Exploit for Windows RPC may be in the wild!

From: tEA-TiME (tEA-TiMEat_private)
Date: Sun Jul 27 2003 - 15:33:34 PDT

Next message: Dowling, Gabrielle: "RE: First time security issue."

Previous message: Salvatore Poliandro: "Re: [security-elvandar] "access_log?hello" ?"
In reply to: Eric Appelboom: "RE: Exploit for Windows RPC may be in the wild!"
Next in thread: Paul Tinsley: "RE: Exploit for Windows RPC may be in the wild!"
Next in thread: morning_wood: "Re: Exploit for Windows RPC may be in the wild!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There could be another explanation for the flow of traffic to port 135. Many
programs being released now for using the NET SEND command to advertise,
come with a built in "scanner" to see if the host is active beore wasting
the time sending the whole message. Some of these software makers also
suggest getting a port scanner and just scanning ports 135, 137, 138, 139,
and 445 to see if a host is running and accepting NET messages.

I run alot on an earthlink.net dialup, and when I turn my messenger service
back on to see how many ad's I get, I get at least 5 in the time it takes me
to go get a coffee.

There may also be exploits out there looking for somehing on these ports,
but I gurantee at least 98% of the traffic is from these NET SEND Ad
programs.

Hope it helps,

tEA-TiME

PS- Throw a sniffer up and check out any requests going to 135. That is what
most people scan to see if a host is available and running the messenger
service. You'll see the ad programs info in the packet.


----- Original Message -----
From: "Eric Appelboom" <ericat_private>
To: "Compton, Rich" <RComptonat_private>; <incidentsat_private>
Sent: Sunday, July 27, 2003 1:42 PM
Subject: RE: Exploit for Windows RPC may be in the wild!



Yes exploits have been released (source code) and win32 compilied
binaries.
A worm is expected soon see full-disclosure tread.

Happy patching
Any1 with snort sig?

-----Original Message-----
From: Compton, Rich [mailto:RComptonat_private]
Sent: 25 July 2003 09:46 PM
To: incidentsat_private

FYI,
ISPs are reporting a dramatic increase in traffic on TCP port 135.  No
exploit code has been captured as of yet but the increase in traffic on
this
port probably indicates that exploit code is being executed!  Block
ports
135 through 139 and 445!

More info:
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulleti
n/MS
03-026.asp

-Rich Compton


------------------------------------------------------------------------
---
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
----------------------------------------------------------------------------



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Dowling, Gabrielle: "RE: First time security issue."
Previous message: Salvatore Poliandro: "Re: [security-elvandar] "access_log?hello" ?"
In reply to: Eric Appelboom: "RE: Exploit for Windows RPC may be in the wild!"
Next in thread: Paul Tinsley: "RE: Exploit for Windows RPC may be in the wild!"
Next in thread: morning_wood: "Re: Exploit for Windows RPC may be in the wild!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 28 2003 - 10:03:58 PDT