Yeah, the exploit works way to well for my liking. The win32 binary didn't seem to work though. I usually found that one can try once to get the os\sp pair correct If not the machine carries on its merry way even if you get the os\sp pair correct. A nice indicator that a machine has been exploited is that after you quit from The shell it causes NTAuthority to panic and shut the machine down after 60 seconds. Some snort sigs I came across, don't know how good they are. alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC invalid bind attempt"; flow:to_server,established; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|00|"; distance:21; within:1; classtype:attempted-dos; sid:2190; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC invalid bind attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; content:"|05|"; distance:2; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|00|"; distance:21; within:1; classtype:attempted-dos; sid:2191; rev:1;) On a side note to those in ISP scenarios, any thoughts about blocking netbios inbound to pops? Eric -----Original Message----- From: morning_wood [mailto:se_cur_ityat_private] Sent: 27 July 2003 10:17 PM To: Compton, Rich; incidentsat_private it is in the wild and very very effective, in random testing im findin 80% of all XP/2k boxes affected... Donnie Werner http://exploitlabs.com ----- Original Message ----- From: "Compton, Rich" <RComptonat_private> To: <incidentsat_private> Sent: Friday, July 25, 2003 12:45 PM Subject: Exploit for Windows RPC may be in the wild! > FYI, > ISPs are reporting a dramatic increase in traffic on TCP port 135. No > exploit code has been captured as of yet but the increase in traffic on this > port probably indicates that exploit code is being executed! Block ports > 135 through 139 and 445! > > More info: > http://www.microsoft.com/technet/treeview/?url=/technet/security/bulleti n/MS > 03-026.asp > > -Rich Compton > > > ------------------------------------------------------------------------ - -- > ------------------------------------------------------------------------ - --- > > ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Jul 28 2003 - 12:32:08 PDT