RE: Exploit for Windows RPC may be in the wild!

From: Paul Tinsley (pdtat_private)
Date: Mon Jul 28 2003 - 22:28:38 PDT

Next message: Danny: "Anyone know this tool?"

Previous message: Salvatore Poliandro: "Re: Scan of TCP 552-554"
In reply to: Eric Appelboom: "RE: Exploit for Windows RPC may be in the wild!"
Next in thread: morning_wood: "Re: Exploit for Windows RPC may be in the wild!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I wrote some earlier today and sent them over to the snort signatures list.
In my eyes the signatures are still Alpha, they seem to pick up all of the
options out of dcom.c really well.  I have yet to see a false positive or
negative.  I am looking for feedback though, so if you use them and find
false results in either direction, please let me know so that I can improve
the rules.

http://jackhammer.org/rules/dcom.rules

Use either 1100001 - 1100007 or 1100008, if used in conjunction 8 will
override 1-7.  I wrote 8 for those who just want to know it is going on but
don't care specifically what is being attempted, the other rule sets will
tell you down to the SP what attack is being attempted.  Be warned with 8,
it is very dependant on the dcom.c version of the code.  The other 7 are a
little more flexible.  Read the documentation referenced in the rules for
more info.

Thanks,
    Paul Tinsley

-----Original Message-----
From: Eric Appelboom [mailto:ericat_private] 
Sent: Sunday, July 27, 2003 12:42 PM
To: Compton, Rich; incidentsat_private

 
Yes exploits have been released (source code) and win32 compilied
binaries.
A worm is expected soon see full-disclosure tread.

Happy patching
Any1 with snort sig?

-----Original Message-----
From: Compton, Rich [mailto:RComptonat_private] 
Sent: 25 July 2003 09:46 PM
To: incidentsat_private

FYI, 
ISPs are reporting a dramatic increase in traffic on TCP port 135.  No
exploit code has been captured as of yet but the increase in traffic on
this
port probably indicates that exploit code is being executed!  Block
ports
135 through 139 and 445! 

More info: 
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulleti
n/MS
03-026.asp

-Rich Compton


------------------------------------------------------------------------
---
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
----------------------------------------------------------------------------



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Danny: "Anyone know this tool?"
Previous message: Salvatore Poliandro: "Re: Scan of TCP 552-554"
In reply to: Eric Appelboom: "RE: Exploit for Windows RPC may be in the wild!"
Next in thread: morning_wood: "Re: Exploit for Windows RPC may be in the wild!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 29 2003 - 09:36:55 PDT