RE: Exploit for Windows RPC may be in the wild!

From: James C. Slora, Jr. (Jim.Sloraat_private)
Date: Mon Jul 28 2003 - 11:15:57 PDT

Next message: Frank Knobbe: "Re: Scan of TCP 552-554"

Previous message: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
Maybe in reply to: Compton, Rich: "Exploit for Windows RPC may be in the wild!"
Next in thread: Sumit: "RE: Exploit for Windows RPC may be in the wild!"
Reply: Sumit: "RE: Exploit for Windows RPC may be in the wild!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

tEA-TiME wrote Sunday, July 27, 2003 6:34 PM
> There could be another explanation for the flow of traffic to port 135. Many
> programs being released now for using the NET SEND command to advertise,
> come with a built in "scanner" to see if the host is active beore wasting
> the time sending the whole message. Some of these software makers also
> suggest getting a port scanner and just scanning ports 135, 137, 138, 139,
> and 445 to see if a host is running and accepting NET messages.


Yes many could be messenger spam probes. I've seen a marked increase in TCP 135 scanning over the past week, though. And I'm getting new scan combos (TCP 135 and 445 with no other ports) that strongly suggest RPC probing rather than messenger spam.

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Frank Knobbe: "Re: Scan of TCP 552-554"
Previous message: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
Maybe in reply to: Compton, Rich: "Exploit for Windows RPC may be in the wild!"
Next in thread: Sumit: "RE: Exploit for Windows RPC may be in the wild!"
Reply: Sumit: "RE: Exploit for Windows RPC may be in the wild!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 28 2003 - 12:52:35 PDT