lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: phlox at comcast.net (phlox)
Subject: Probable new MS DCOM RPC worm for Windows

It can be people with autorooters, using it from unix shells, or windows
boxes.. doesnt have to be a worm... technically.. you can spread a trojan
just as fast with a scanner.. if not faster then a worm..

-phlox

----- Original Message ----- 
From: "Richard Johnson" <rnews@...rlpool.river.com>
To: <full-disclosure@...ts.netsys.com>; <incidents@...urityfocus.com>
Sent: Saturday, September 20, 2003 1:41 PM
Subject: [Full-Disclosure] Probable new MS DCOM RPC worm for Windows


> We've noticed increased scan activity on port 135, ramping up over the
> past 20 hours.
>
> The scanning appears to concentrate on nearby /16s.  For example, when
> the source host has IP in 10.117.68.0/24, we've seen scanning of at
> least single /24s within 10.114.0.0/16, 10.118.0.0/16 and
> 10.116.0.0/16, and nowhere else yet.
>
> We've also had 2nd-hand reports of svchost.exe being killed on hosts
> being attacked, causing downloading patches during the attack to fail.
> Also, at least two dialup links are being flooded into uselessness by
> the scan traffic from others nearby.
>
>
> Richard
>
> -------
> Example headers:
>
> Sep 19 17:21:48.356841 0800 62: 10.117.68.93.1912 > 10.114.18.21.135: S
2922514106:2922514106(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
> ...
> Sep 19 20:35:19.248342 0800 62: 10.117.68.81.2195 > 10.118.2.146.135: S
1536913838:1536913838(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
> ...
> Sep 20 13:55:15.440811 0800 62: 10.117.68.50.1914 > 10.116.132.184.135: S
3274268792:3274268792(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
>
> -- 
> To reply via email, make sure you don't enter the whirlpool on river left.
>
> My mailbox. My property. My personal space. My rules. Deal with it.
>                         http://www.river.com/users/share/cluetrain/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ