lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.55.0308111820420.8601@afybt.areqp.hsy.rqh>
From: jwiens at nersp.nerdc.ufl.edu (Jordan Wiens)
Subject: DCOM Worm released

I can confirm that on our currently running network with IDS and flow
data.  TFTP is from the attacking source, not from any centralized
servers.

-- 
Jordan Wiens, CISSP
UF Network Incident Response Team
(352)392-2061

On Mon, 11 Aug 2003, Dennis Opacki wrote:

>
> Never mind. SANS now indicates:
>
> Infection sequence:
>
> 1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit
>    to TARGET
> 2. this causes a remote shell on port 4444 at the TARGET
> 3. the SOURCE now sends the tftp get command to the TARGET, using the
>    shell on port 4444,
> 4. the target will now connect to the tftp server at the SOURCE.
>
>
> On Mon, 11 Aug 2003, Dennis Opacki wrote:
>
> >
> > Can anyone confirm whether the tftp transfers appear to be solely from the
> > hosts listed in the initial sans.org note (which now appear to have been
> > taken down), or is the transfer done from the infecting host?
> >
> > TIA,
> >
> > -Dennis
> >
> > On Mon, 11 Aug 2003, Joey wrote:
> >
> > > They found a worm, but since it uses tftp servers that
> > > can be taken down and since tftp is slow, it shouldnt
> > > have much of an effect.
> > >
> > > "Scans sequentially for machines with open port 135,
> > > starting at a presumably random IP address" - very
> > > stupid way to spread!
> > >
> > > http://isc.sans.org/diary.html?date=2003-08-11
> > >
> > > __________________________________
> > > Do you Yahoo!?
> > > Yahoo! SiteBuilder - Free, easy-to-use web site design software
> > > http://sitebuilder.yahoo.com
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.netsys.com/full-disclosure-charter.html
> > >
> >
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ