Re: Blasting Blaster.Worm (aka LovSan Virus)

From: Alan B. Clegg (abcat_private)
Date: Wed Aug 13 2003 - 04:25:55 PDT

Next message: Jamie Pratt: "Re: msblast.exe available"

Previous message: Oliver.Gruskovnjakat_private: "rpc dcom worm and windowsupdate"
In reply to: iDaemon Security: "Re: Blasting Blaster.Worm (aka LovSan Virus)"
Next in thread: Lloyd Taylor: "Re: Blasting Blaster.Worm (aka LovSan Virus)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Out of the ether, iDaemon Security spewed forth the following bitstream:

> 1. worm finds host vulnerable to DCOM RPC exploit, attacks on 135/TCP
> (and UDP... it is safe to assume that traffic will use TCP and/or UDP,
> so please assume UDP is implied for the rest of my comments)

No, it is not safe to assume that traffic will use TCP and/or UDP.  It is
up to the examiner of the incident to determine which protocol is being
used.

The infection is via TCP/135, the shell is on TCP/4444 and the tftp is on
UDP/69.

Broad generalizations like that above cause blocking that is not necessary.

AlanC
-- 
I must study politics and war that my sons     |
may have liberty to study mathematics and      |        alanat_private
philosophy. -- John Adams                      |

application/pgp-signature attachment: stored

Next message: Jamie Pratt: "Re: msblast.exe available"
Previous message: Oliver.Gruskovnjakat_private: "rpc dcom worm and windowsupdate"
In reply to: iDaemon Security: "Re: Blasting Blaster.Worm (aka LovSan Virus)"
Next in thread: Lloyd Taylor: "Re: Blasting Blaster.Worm (aka LovSan Virus)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 13 2003 - 07:53:46 PDT