lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030920204140.C617C6934@mdev.river.com>
From: rnews at whirlpool.river.com (Richard Johnson)
Subject: Probable new MS DCOM RPC worm for Windows

We've noticed increased scan activity on port 135, ramping up over the 
past 20 hours.

The scanning appears to concentrate on nearby /16s.  For example, when 
the source host has IP in 10.117.68.0/24, we've seen scanning of at 
least single /24s within 10.114.0.0/16, 10.118.0.0/16 and 
10.116.0.0/16, and nowhere else yet.

We've also had 2nd-hand reports of svchost.exe being killed on hosts 
being attacked, causing downloading patches during the attack to fail.  
Also, at least two dialup links are being flooded into uselessness by 
the scan traffic from others nearby.


Richard

-------
Example headers:

Sep 19 17:21:48.356841 0800 62: 10.117.68.93.1912 > 10.114.18.21.135: S 2922514106:2922514106(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
...
Sep 19 20:35:19.248342 0800 62: 10.117.68.81.2195 > 10.118.2.146.135: S 1536913838:1536913838(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
...
Sep 20 13:55:15.440811 0800 62: 10.117.68.50.1914 > 10.116.132.184.135: S 3274268792:3274268792(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)

-- 
To reply via email, make sure you don't enter the whirlpool on river left.

My mailbox. My property. My personal space. My rules. Deal with it.
                        http://www.river.com/users/share/cluetrain/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ