Just as an interesting FYI, we are blocking these at the perimeter (obviously as well as patching all boxes we find also) and a HUGE majority (maybe 80-90%) of the attempts are hitting on port 445, not 135. So if you are one of the lucky few that can block at the perimeter, be sure you are blocking them ALL. I have seen 135, 137, 139, 445, 80/443 (any IIS box with COM Internet Services installed is what dlimanovat_private reported) and also according to dlimanovat_private any machine that has RPC over HTTP is exploitable on 593 tcp/udp as well. I could swear that I even remember seeing 4444 in one person's e-mail now, but I can't find it to attribute it. Sorry. That is a lot of ports. Obviously the best answer is to get patched, but if blocking can buy you a little time, try it. Just be sure you block all of them that you can. If what I am seeing on scans is any indication, the first big worm will hit using 445, assuming that everyone has been focusing on 135. My 2 cents. JayW >>> "Bojan Zdrnja" <Bojan.Zdrnjaat_private> 08/01/03 07:30PM >>> > -----Original Message----- > From: Stong, Ian C. (Contractor) [mailto:StongIat_private] > Sent: Friday, 1 August 2003 11:33 p.m. > To: 'Russell Fulton'; Schmehl, Paul L > Cc: incidentsat_private > Subject: RE: Command Line RPC vulnerability scanner? > > > Hi Russell, > > A possible workaround (depending on your WAN requirements for port 135) for > the systems that can't be patched is to simply block port 135 into your > network. If you need port 135 to be accessible from certain remote sites > then allow those specific source/destination address and port pairs through > your router or firewall. This will work well to stop attacks originating from the Internet, but as it was discussed on another mailing list (Full-disclosure), this is definetly not sufficient. I'd like to warn people that port blocking on their perimeter firewalls is *not* enough (and only a small number of companies can afford *good& firewalling in internal networks). It is probably just a question of time when one of the following two will happen: 1) An employee inside your network or with VPN access runs exploit on your internal network. 2) Worm is written which exploits this vulnerability and enters your network via employees computer and VPN. 3) Same worm spreads with mass e-mail. Therefore, I'd consider patching as the only solution against this (nasty) vulnerability. --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Aug 04 2003 - 10:35:43 PDT