| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <006f01c362a0$86bfc4f0$9302a8c0@Constant> From: jeremiah at nur.net (Jeremiah Cornelius) Subject: New Blaster variant using UDP port 1038? > ---- Original Message ----- > From: Stahlkrantz, Mats (Mats) > To: full-disclosure@...ts.netsys.com > Sent: Thursday, August 14, 2003 10:48 AM > Subject: [Full-Disclosure] New Blaster variant using UDP port 1038? > > > > We're starting to see exploit attempts that are followed by probes from the infected host on tcp/4444, > and then UDP/1038. Has anyone else seen this? 1038 UDP is used by BIND, and by one of the sundry lock RPCs in NFS. The deal here is probably Dell OMI, a management interface. Kurt Sifried has this documented on his ports list at sifried.org Are your machines Dell? I would bet that killing RPC is making the OMI agent go nutty, and broadcast. The relevant executable is win32sl.exe. -- Jeremiah Cornelius, CISSP, CCNA, MCSE, Debianaut farm9 Security email: jc@...m9.com - mobile: 415.235.7689 "What would be the use of immortality to a person who cannot use well a half hour?" --Ralph Waldo Emerson
Powered by blists - more mailing lists