[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <000701c37fd1$fb205b40$4f4dcb0c@voltairecf5c95>
From: phlox at comcast.net (phlox)
Subject: Probable new MS DCOM RPC worm for Windows
It can be people with autorooters, using it from unix shells, or windows
boxes.. doesnt have to be a worm... technically.. you can spread a trojan
just as fast with a scanner.. if not faster then a worm..
-phlox
----- Original Message -----
From: "Richard Johnson" <rnews@...rlpool.river.com>
To: <full-disclosure@...ts.netsys.com>; <incidents@...urityfocus.com>
Sent: Saturday, September 20, 2003 1:41 PM
Subject: [Full-Disclosure] Probable new MS DCOM RPC worm for Windows
> We've noticed increased scan activity on port 135, ramping up over the
> past 20 hours.
>
> The scanning appears to concentrate on nearby /16s. For example, when
> the source host has IP in 10.117.68.0/24, we've seen scanning of at
> least single /24s within 10.114.0.0/16, 10.118.0.0/16 and
> 10.116.0.0/16, and nowhere else yet.
>
> We've also had 2nd-hand reports of svchost.exe being killed on hosts
> being attacked, causing downloading patches during the attack to fail.
> Also, at least two dialup links are being flooded into uselessness by
> the scan traffic from others nearby.
>
>
> Richard
>
> -------
> Example headers:
>
> Sep 19 17:21:48.356841 0800 62: 10.117.68.93.1912 > 10.114.18.21.135: S
2922514106:2922514106(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
> ...
> Sep 19 20:35:19.248342 0800 62: 10.117.68.81.2195 > 10.118.2.146.135: S
1536913838:1536913838(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
> ...
> Sep 20 13:55:15.440811 0800 62: 10.117.68.50.1914 > 10.116.132.184.135: S
3274268792:3274268792(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
>
> --
> To reply via email, make sure you don't enter the whirlpool on river left.
>
> My mailbox. My property. My personal space. My rules. Deal with it.
> http://www.river.com/users/share/cluetrain/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Powered by blists - more mailing lists