lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <001301c35927$1c5dece0$0100a8c0@cp30f99b0ae7a6>
From: cheekypeople at sec33.com (CHeeKY)
Subject: possible MS03-026 worm?

so what your saying is that you have been scanned using a rpc scanner, a
rpctest was used to determine your operating system, tftp was used to upload
files and the rest can be anything from winmgnt.exe to servudaemon.exe for
opening a ftp server on your box, the worm.exe just looks like a neat batch
file for ease of transfer of files and the spawning of a shell is simply the
dcom rpc windows hack program in operation.

So have we a worm or have we a slight chance of over reactive paranoia
through naming of files?
I value your need for valadation, and maybe I am wrong and the rpc worm is
out to kill folk,
I hope my explanation is the one, anyways bring the worm on, I am patched,
stormfront installed, full checkpoint ngfp3 suite and a network patching
program to foil the world hehehehe

Enjoy ya weekend.


-------------------------------------------------------------------------
FIGHT BACK AGAINST SPAM!
Download Spam Inspector, the Award Winning Anti-Spam Filter
http://mail.giantcompany.com


----- Original Message ----- 
From: "tcpdumb" <tcpdumb@...tiumbuster.homelinux.com>
To: <full-disclosure@...ts.netsys.com>
Sent: Saturday, August 02, 2003 6:32 PM
Subject: Re: [Full-Disclosure] possible MS03-026 worm?


> On Sat, 2 Aug 2003 11:58:00 -0500
> "mobly99" <dhopper@...ritech.net> wrote:
>
> > Seems to be a possible worm based on the RPC/DCOM exploit making the
> > rounds?
>
> Definetly. Depending on the logfiles from our Firewall at work, there must
be something out there. Infected machines found at:
>
> 156.34.222.0/24
> 194.96.90.0/24
> 196.30.232.0/24
> 200.0.0.0/8
> 202.0.0.0/8
>
> and so on. Their traffic is about 50-75% of a day's traffic. Fortunately
without any damage to our systems. The worm seems to check hosts with a
funny ryhtm within a Subnet:
>
> IP=123.123.123.1
>
> $IP+5
> $IP+1
> $IP+4
> $IP+2
> $IP+3
> $IP+3
> $IP+2
> $IP+4
> $IP+1
> $IP+5
> ...
> ...
>
>
> Dunno why but I found it out reading the 24h output of our Firewall. The
coder must be stupid/[totally stoned] or simply made a mistake coding the
loops for scanning.
> Strange thing,
>
> Lukas
>
> > puts these files in %systemdrive%
> > rpc.exe
> > rpctest.exe
> > tftpd.exe
> > worm.exe
> > lolx.exe
> >
> > also in %windir%\system32
> > lolx.exe
> > dcomx.exe
> >
> > rpc.exe and dcomx.exe appear in the running tasks.
> >
> >
> > I pulled samples of them and submitted to SARC.
> >
> >
> > -Dave
> >
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ