lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: dufresne at winternet.com (Ron DuFresne)
Subject: DCOM RPC exploit  (dcom.c)

On 26 Jul 2003, Paul Schmehl wrote:

> On Sat, 2003-07-26 at 22:29, Ron DuFresne wrote:
> >
> > I'm just trying to understand how corporate networks would/should be at
> > risk with this, why port 135 would not be filtered already limiting
> > exposure.  Is there a reason why it would not be that I'm missing?
>
> Are you really serious?  Recall Slammer?  There were networks that were
> locked down pretty tight.  Slammer couldn't get in, right?  Then one
> developer who got his unpatched copy of SQL inside the network, by
> logging in through VPN with his infected laptop, took the entire network
> down.
>
> You can't get in to our network on those ports either - unless you're
> already in.  But I can guarantee you that we'll be chasing infected
> boxes down for days after the worm hits.  And we've already patched
> everything that we could patch.  I scan for Slammer every week, because
> every week someone new decides to install SQL unpatched or some stupid
> app that has an unpatched copy of MSDE.  Now I'll be chasing the RPC
> worm around too.
>
> You can't firewall 135 inside your network or you'd have no network.

but, you can at the outgouing gateway, as well as log the events there to
help in locating inside infections.  Slammer and some of the other recent
worms giving a good headsup to folks that filtering is indeed not a one
way proposition.

ingress as well as egress filtering has been something strongly advocated
for quite sometime.


If an internal network gets so infected that it;s clogging the outgooing
gateway chokepoint, then it's time to take that network 'offline' from the
rest of the internet and cleanup.  Unless the company line on this is open
all ports and let the rest of the world fend for themselves while we try
and cleanup this mess, which was the decision on a number of places during
recent worm exploits and not limited to slammer.

Thanks,

Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
	***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ