There could be another explanation for the flow of traffic to port 135. Many programs being released now for using the NET SEND command to advertise, come with a built in "scanner" to see if the host is active beore wasting the time sending the whole message. Some of these software makers also suggest getting a port scanner and just scanning ports 135, 137, 138, 139, and 445 to see if a host is running and accepting NET messages. I run alot on an earthlink.net dialup, and when I turn my messenger service back on to see how many ad's I get, I get at least 5 in the time it takes me to go get a coffee. There may also be exploits out there looking for somehing on these ports, but I gurantee at least 98% of the traffic is from these NET SEND Ad programs. Hope it helps, tEA-TiME PS- Throw a sniffer up and check out any requests going to 135. That is what most people scan to see if a host is available and running the messenger service. You'll see the ad programs info in the packet. ----- Original Message ----- From: "Eric Appelboom" <ericat_private> To: "Compton, Rich" <RComptonat_private>; <incidentsat_private> Sent: Sunday, July 27, 2003 1:42 PM Subject: RE: Exploit for Windows RPC may be in the wild! Yes exploits have been released (source code) and win32 compilied binaries. A worm is expected soon see full-disclosure tread. Happy patching Any1 with snort sig? -----Original Message----- From: Compton, Rich [mailto:RComptonat_private] Sent: 25 July 2003 09:46 PM To: incidentsat_private FYI, ISPs are reporting a dramatic increase in traffic on TCP port 135. No exploit code has been captured as of yet but the increase in traffic on this port probably indicates that exploit code is being executed! Block ports 135 through 139 and 445! More info: http://www.microsoft.com/technet/treeview/?url=/technet/security/bulleti n/MS 03-026.asp -Rich Compton ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Jul 28 2003 - 10:03:58 PDT