Out of the ether, iDaemon Security spewed forth the following bitstream: > 1. worm finds host vulnerable to DCOM RPC exploit, attacks on 135/TCP > (and UDP... it is safe to assume that traffic will use TCP and/or UDP, > so please assume UDP is implied for the rest of my comments) No, it is not safe to assume that traffic will use TCP and/or UDP. It is up to the examiner of the incident to determine which protocol is being used. The infection is via TCP/135, the shell is on TCP/4444 and the tftp is on UDP/69. Broad generalizations like that above cause blocking that is not necessary. AlanC -- I must study politics and war that my sons | may have liberty to study mathematics and | alanat_private philosophy. -- John Adams |
This archive was generated by hypermail 2b30 : Wed Aug 13 2003 - 07:53:46 PDT