lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: daniele at muscetta.com (Daniele Muscetta)
Subject: ISS Security Brief: 'MS Blast' MSRPC DCOM Worm Propagation (fwd)

> svchost.exe listens on several ports on windows xp.
> If microsoft is saying that it should never be on the
> internet, couldn't there be more b0f's discovered in
> the future? One peculiar service "DNS Client",
> although listening on a few random ports just about
> 1024, also runs off of svchost.exe.

svchost is a "wrapper" for services that work as DLLs instead of being
implemented with their own .EXE.
On its own it is harmful.

It is RPC which should not listen on the internet. It's a very different
matter.

Anyway, "DNS Client" is the DNS RESOLVER, that component that queries the
DNS for you... and it does not listen, as far as I know.
It opens of course dynamic ports >1024 as SOURCE ports, to talk to DNS
server on target port 53... what would you expect it do otherwise ?

It also implements the dynamic record registration for DDNS, so it
REGISTERS the address of the client on the server (if instructed to do so,
and if the server supports it).


...if you don't want it, you might even want to remove resolv.conf from
your linux box.... since it might be just as harmful..... :)


Daniele

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ