| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: dufresne at winternet.com (Ron DuFresne) Subject: RE: DCOM RPC exploit On Sun, 27 Jul 2003 Valdis.Kletnieks@...edu wrote: > On Sat, 26 Jul 2003 23:49:05 PDT, "Steve W. Manzuik" said: > > > A worm exploiting this might happen, but is it really that big of a deal? > > Compare the number of boxes that have the bug Slapper exploited with the number > of boxes that have DCOM open to the world.... > > When I hear that a worm's finally been spotted, I'm yanking my laptop off the > net and going home - and it's a Linux box. I'm just expecting to not get any > useful connectivity for a while. > > And of course, anybody who's got half a clue and writes a worm is going to have > it drop off a trojan/backdoor... And then those boxes get used as spam relays, > front-end boxes for porn websites, keyboard sniffers, etc etc. Gonna take a > LONG time to clean that mess up. > > Hell, we're *still* seeing Code Red traffic. And what we've *NOT* seen in the > last 2 years is a CERT advisory of this magnitude against a Microsoft product > that didn't spawn a "Holy Shit" scale worm. > [SNIP] Yet, this only further shows that much more risk mitigation up front is in what's allowed to pass to and from the network, not to mention better install//config defaults, which should be the basis for machines added to the network. Patching, at least getting the mass majority patched, long after an event, even trying to clue the admins and upstream providers is ineffective, at least at the rate that patches and updates and the great numbers of application/addon/trinket replaces known bad code *after* the m$ ladened admins have to maintain... The whole concept of rpc has been an issue across platforms in the various degrees of implimentation, either uninstalling or filtering traffic to dangerous protocols like this. we block the 111 and associated ports by default, why would not 135 be in the mix? This is not the first RPC nor DCOM issue in the not to distant past in this OS, there is a history that should guide one dealing with perimiters as well as admin, install, etc if security is part of the company culture/environment/policy. Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything.
Powered by blists - more mailing lists