Outbreaks of RPC vulnerable systems

Discussion in 'other firewalls' started by BlitzenZeus, Aug 11, 2003.

Thread Status:
Not open for further replies.
  1. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    As many have noticed, there has been a huge surge in some probes to Windows NT system ports. People who have not kept up with the windows updates, and don't have a properly configured firewall installed are being shutdown remotely against their will. All because they didn't know, or didn't care enough to keep up with it.

    On BBR it seems quite a few members are coming out of the woodwork as they are having this problem, and its funny. They are now just finding out that it could have been much more serious, and some still just want to apply the patch only. One guy was asking on behalf of customers as he works at BestBuy, and doesn't want to recommend a firewall to customers.

    This could have been much worse, it could have been like Code Red for RPC, and I think most people remember when Code Red happened.... There were so many systems infected so quickly that it could not be controlled until people actually started patching their systems.

    I wonder when people will realize that they need to protect their NT Operating system as its always acting as a server, but many still don't know or care about it until its too late. As it goes with most security issues, and common mistakes of running warez/p2p files.
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Amen to that, BlitzenZeus.

    regards,

    paul
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    I'm still reading the main thread on this at DSLR, but, just a couple hours ago (where I am in the thread), even the patch wasn't fully stopping this.

    Unpatched systems were getting easily infected and start infecting others, while patched systems were have RPC crash, which was shutting down their systems.

    It is very interesting to see all kinds of people who just days ago were probably participating in the thread over there about how paranoid people are who care about things like firewalls and ATs, etc. And now these people are getting directly impacted because they don't run a firewall. :doubt:
     
  4. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    I believe this is the patch that will prevent the exploit:
    Microsoft TechNet
    --There have been reports that the patch hasn't worked against this new exploit. Although if you don't have this update, apply it anyway since it might be the worm that continues to shutdown your system.

    However if these people would have just ran a properly configured firewall this worm would not have gotten as much traffic as it has caused recently.
     
  5. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Yes, there were many people who believed that they didn't need to run a firewall, and they were ok without one with listening NT services. Now many of these people are being shown that they were wrong, and have become part of the problem. All because they didn't care...
     
  6. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
  7. 5151

    5151 Registered Member

    Joined:
    Aug 8, 2003
    Posts:
    6
    Location:
    CT
    It sounds like I got a worm from not running a firewall and I need a patch.
    This is a windows 98 work station with a pentium II chip.
    I am sending this message from my laptop and need specific instructions as to how to get this problem resolved on my desktop.
    I always had Mcafee antivirus working and thought firewall came with it.
    I checked for viruses but nothing detected.
     
  8. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi 5151,

    I haven't yet seen an analysis of the msblast worm but the vulnerability that it exploits does not exist on Win95/98 or Windows ME so I very much doubt you are hit with it.

    What have you been encountering that is leading you to believe that something is wrong?

    Thanks,

    Dan
     
  9. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    ..Nevertheless, it wouldn't hurt to have a look at the extensive removal instructions provided by Sophos for example.

    Good luck, and keep us posted!

    regards.

    paul
     
  10. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    W32/Blaster-A

    I have not seen any win98 machines infected but ...

    Here is a removal tool you could run and if you are not infected you will know right away..maybe Paul will put it in his download area...

    caution direct link to removal tool
    http://updates.pandasoftware.com/pq/gen/blaster/pqremove.com
    Copyright (C) Panda Software 2003.

    ______________________________________


    Also see here if you want other tools..

    http://www.gladiator-antivirus.com/
     
  11. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Blitzenzeus: still, I've no doubt that many sans any type of firewall who were infected (and certainly those who weren't only because they were patched) will not run a firewall after this is over. They'll just deal with it on a case by case basis as if this event was just an aberration, not a kind of potential ongoing threat as long as they have open ports exposed on the net.

    Apparently this exploit only targeted the vulnerability for which the patch was designed (one imagines that was intentional). The next time, however, this might not be the case.
     
  12. Khaine

    Khaine Registered Member

    Joined:
    Oct 2, 2002
    Posts:
    127
    Over at DDR many people have made come to the conclusion that this worm was designed to force people to patch their computers hopefully some will install firewalls too.

    It seems atleast for the moment it has caught most peoples attention. What we really need to do is get the mainstream media, or a means to communicate with most users, to install a firewall and learn how to configure it properly to help precent future worms.

    It seems that this sentiment of people not learning from past mistakes keeps on cropping up after each new major outbreak. Admins and users alike are lucky that this worm isn't malious. If it was they'd have learnt the hard way why a firewall is important. It seems that most people understand the need to learn from history; to stop repeating the same mistakes. Yet when it comes to computers and the internet they wallow in their own ignorance and seem to lose all common sense.

    One day this isn't going to be a wake-up call, and many will be burnt.
     
Thread Status:
Not open for further replies.