| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: cheekypeople at sec33.com (CHeeKY) Subject: possible MS03-026 worm? so what your saying is that you have been scanned using a rpc scanner, a rpctest was used to determine your operating system, tftp was used to upload files and the rest can be anything from winmgnt.exe to servudaemon.exe for opening a ftp server on your box, the worm.exe just looks like a neat batch file for ease of transfer of files and the spawning of a shell is simply the dcom rpc windows hack program in operation. So have we a worm or have we a slight chance of over reactive paranoia through naming of files? I value your need for valadation, and maybe I am wrong and the rpc worm is out to kill folk, I hope my explanation is the one, anyways bring the worm on, I am patched, stormfront installed, full checkpoint ngfp3 suite and a network patching program to foil the world hehehehe Enjoy ya weekend. ------------------------------------------------------------------------- FIGHT BACK AGAINST SPAM! Download Spam Inspector, the Award Winning Anti-Spam Filter http://mail.giantcompany.com ----- Original Message ----- From: "tcpdumb" <tcpdumb@...tiumbuster.homelinux.com> To: <full-disclosure@...ts.netsys.com> Sent: Saturday, August 02, 2003 6:32 PM Subject: Re: [Full-Disclosure] possible MS03-026 worm? > On Sat, 2 Aug 2003 11:58:00 -0500 > "mobly99" <dhopper@...ritech.net> wrote: > > > Seems to be a possible worm based on the RPC/DCOM exploit making the > > rounds? > > Definetly. Depending on the logfiles from our Firewall at work, there must be something out there. Infected machines found at: > > 156.34.222.0/24 > 194.96.90.0/24 > 196.30.232.0/24 > 200.0.0.0/8 > 202.0.0.0/8 > > and so on. Their traffic is about 50-75% of a day's traffic. Fortunately without any damage to our systems. The worm seems to check hosts with a funny ryhtm within a Subnet: > > IP=123.123.123.1 > > $IP+5 > $IP+1 > $IP+4 > $IP+2 > $IP+3 > $IP+3 > $IP+2 > $IP+4 > $IP+1 > $IP+5 > ... > ... > > > Dunno why but I found it out reading the 24h output of our Firewall. The coder must be stupid/[totally stoned] or simply made a mistake coding the loops for scanning. > Strange thing, > > Lukas > > > puts these files in %systemdrive% > > rpc.exe > > rpctest.exe > > tftpd.exe > > worm.exe > > lolx.exe > > > > also in %windir%\system32 > > lolx.exe > > dcomx.exe > > > > rpc.exe and dcomx.exe appear in the running tasks. > > > > > > I pulled samples of them and submitted to SARC. > > > > > > -Dave > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > >
Powered by blists - more mailing lists