lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <SRV2KW3EXCHNGlYHkJy0000003c@srv2kw3exchng.entrenchtech.com>
From: steve at entrenchtech.com (Steve W. Manzuik)
Subject: RE: DCOM RPC exploit 

> Compare the number of boxes that have the bug Slapper 
> exploited with the number of boxes that have DCOM open to the 
> world....

Do you have a stat on the number of boxes with DCOM open?  Do you really
think that the number of organizations still not filtering 135 etc outnumber
those running IIS.  Yes, you can exploit this via IIS -- IF IT IS ENABLED
(read: not default).

> And of course, anybody who's got half a clue and writes a 
> worm is going to have it drop off a trojan/backdoor... And 
> then those boxes get used as spam relays, front-end boxes for 
> porn websites, keyboard sniffers, etc etc.  Gonna take a LONG 
> time to clean that mess up.

Sure, but have there actually been any "good" worms yet? 

> Hell, we're *still* seeing Code Red traffic.  And what we've 
> *NOT* seen in the last 2 years is a CERT advisory of this 
> magnitude against a Microsoft product that didn't spawn a 
> "Holy Shit" scale worm.

Don't forget Nimda as well.  But seriously, does Code Red or Nimda actually
cause you connectivity issues?  I see a ton of Code Red/Nimda like traffic
on various logs and yet the effect is pretty much zero.
 
> Unfortunately, we've gotten so lulled by the "Just another 
> damned worm"
> scenario that maybe it's NOT a big deal anymore.   And that's 
> just as scary as
> the actual worm.

If your boxes are patched, Firewalls configured properly, IDS tuned and
running -- why would this new worm be so scary?  The only reason that yet
another worm is going to be scary is that people don't patch their boxes or
configure them to be "secure".  Perhaps I am missing something but I think
Code Red and the likes did everyone a huge favor -- forced people to patch
systesm, put script kiddies and consultants alike out of business.

Hell, maybe I will write one myself.   ;-)


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ