RPC DCOM Exploit - Widespread use...

Discussion in 'other security issues & news' started by AplusWebMaster, Aug 2, 2003.

Thread Status:
Not open for further replies.
  1. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello Jooske,

    Not 53 (DNS) but BLOCK [glow=red,2,300]593[/glow] TCP IN
    But it's always a good idea to permit 53 UDP IN/OUT only to your DSN servers

    Rgds,
     
  2. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I must be behind in all the current recommendations :)
    I went to the windows update and indeed i can just nicely get what i need and that special patch not for win9x series available. Must we sleep better now with that?
    OK, adding the 593 to the blocked ports list. But i am in highest block (stealthed ) already, but in these curcumstances i make it a habit to add such ports to the trusted/medium settings as well in advance as there are some sites added to the trusted zone to function well and so i guess to avoid any risks it is not a bad idea to block those things extra.

    Thanks for the quicklink to the nanoprobe --both show stealth of course--
    i always wonder if that "invisible" also means they are really closed (generally spoken) in case someone finds them.


    Thanks for the recommendation to have port 53 only available for DNS -- can you tell me how to do that in ZAPro?
    I mean: in the high security it has a setting to allow port 53 outbound traffic, so it must be standard stealthed, so what to change here to make it better? Something in the expert rules?
     
  4. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
    ;) FYI...updated info from the Internet Storm Center and GRC:

    Blaster Worm Update - Power Outage
    Updated August 15th 2003 11:20 EDT
    http://isc.sans.org/diary.html?date=2003-08-15
    "- Overview
    Microsoft decided to no longer resolve 'windowsupdate.com'. The Blaster worm will not start its DDOS attack as a result. 'www.windowsupdate.com' and 'windowsupdate.microsoft.com' continue to be reachable.
    As the traffic caused by 'blaster' did start to show a decrease, a wide spread power outage across the Northeastern US caught everyones attention. From news coverage, there is no relation between blaster and the power outage. However, the extend and duration of the power outage caused numerous ISPs across the northeastern US and Canada to shut down until power was restored..."
    (More good info available at the site - use the link posted above).

    GRC
    http://grc.com/default.htm
    Friday, August 15th
    Day Five: Microsoft Dodges the MSBlast
    - As expected, Microsoft has shut down the "windowsupdate.com" domain at which the MSBlast worm's forthcoming attack was aimed. Since the Windows operating systems use the domain "windowsupdate.microsoft.com" rather than simply "windowsupdate.com", Microsoft has been able to preempt the worm's intended Distributed Denial of Service (DDoS) attack merely by abandoning the "windowsupdate.com" domain.
    - Analysis of the worm's attack code suggests that its use of the "wrong" domain may have been deliberate: The worm uses Windows' Raw Sockets to generate a spoofed source IP SYN flood attack, but it does so with deliberate gentleness. Each instance of the worm emits only 50 SYN packets per second, deliberately and significantly throttling each machine's contribution to the attack.
    - We can only speculate what was in the mind of the worm's author(s). But if the 200,000 instances of this worm had chosen to target "windowsupdate.microsoft.com" or even "microsoft.com" with an unthrottled Raw Socket SYN flood, a very different scenario would be playing out today and tomorrow: Microsoft.com would be gone.
    - But the worm's originator(s) appear to have been more interested in making a point, than in taking Microsoft.com permanently off the Internet - which they could have easily done..."
     
  5. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
    ;) FYI...update from the Internet Storm Center:

    Blaster Worm Cleanup
    Updated August 16th 2003 15:19 EDT
    http://isc.sans.org/diary.html?date=2003-08-16
    "Summary
    - The DDOS attack against windowsupdate.com has been avoided so far due to Microsofts decision to no longer resolve this particular hostname. Other hosts within this domain are still accessible, so is 'windowsupdate.microsoft.com', the hostname used by Windows Update.
    - In the wake of this worms, at least one virus has been reported to masquerade itself as a "Blaster Worm Fix". As always, do not execute any attachements from unknown sources.
    - One popup ad has been spotted which attempts to mimik the RPC error message in order to trick users into purchasing a software firewall..."
     
  6. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
    Blaster Worm Suspect Arrested
    http://story.news.yahoo.com/news?tmpl=story&cid=581&ncid=581&e=1&u=/nm/20030829/tc_nm/tech_internet_blaster_dc
    "SEATTLE/SAN FRANCISCO (Reuters) - Seeking to deliver a blunt warning to hackers everywhere, U.S. officials on Friday arrested a teenager who admitted to making a copycat version of the Blaster Internet worm that infected computers around the world. Jeffrey Lee Parson, 18, was arrested in his hometown, the Minneapolis suburb of Hopkins, and charged with one count of intentionally causing or attempting to cause damage to a computer. He faces a maximum of 10 years in prison and a $250,000 fine if convicted..."
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.