lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <OF90A1BB30.077A4A1E-ON80256E3D.00618EFF-80256E3D.006491FC@lexicon.co.uk>
From: mike.keighley at adarelexicon.com (mike.keighley@...relexicon.com)
Subject: Re: Full-Disclosure digest, Vol 1 #1456 - 15 msgs

Robin,

The patch for MS03-039 should stop a worm (e.g. Blaster) from spreading to 
other hosts on your lan via RPC/Dcom.
It does nothing to stop infection of the local machine via (say) an IE 
object vulnerability.
Given that the infected file is in the IE temp folder, this is highly 
likely.
A quick google on "IE object vulnerability" will yield more than you 
wanted to know, but the short version is that many such bugs have been 
fixed in IE patches over the last few years, and many still have not.

Yes we had one laptop infected like this, within about 5 mins of first 
connecting it to the net.
The admin who did this without checking the anti-virus status first has 
been flogged.
Some would say you need anti-virus, anti-spyware, personal-firewall, IE 
patches, and scripting turned off.
Others would say you need a different browser <g>

Mike.

-----Original Message-----
From: Ferris, Robin [mailto:R.Ferris@...ier.ac.uk]
Sent: 17 February 2004 14:59
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] exploit-dcomrpc.gen

Hi folks
 
a couple of quick questions, has any one else seen this infection recently 
exploit-dcomrpc.gen, you would proably be using mcafee to see it detected 
as this. 
 
I what is odd is that these machines that are infected are patched with 
ms03-007/026/039 was wondering if any one had seen this at all.
infection goes to c:\windows\system32\drivers\svchost.exe 
infected file is in IE temp folder labelled as WksPatch[1].exe
Any info would be appreciated.
 
Thanks
 
Robin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ