[60414] in North American Network Operators' Group


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: RPC errors and latest worm

daemon@ATHENA.MIT.EDU (Stewart, William C (Bill), RTSLS)
Mon Aug 11 19:37:59 2003

Date: Mon, 11 Aug 2003 18:37:11 -0500
From: "Stewart, William C (Bill), RTSLS" <billstewart@att.com>
To: <nanog@trapdoor.merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu

According to http://isc.sans.org/diary.html?date=3D2003-08-11 ,
the worm uses the latest popular MS exploit ports, so=20
"	 * Close port 135/tcp (and if possible 135-139, 445 and 593) ".

It also uses TCP port 4444 and TFTP =3D UDP 69 to download its
attack code after getting the initial bootstrap infection.
So you probably want to be blocking TCP 4444 and (if appropriate,
which it usually is, TFTP), and tracing any 4444 activity and TFTPs
to detect attacks.


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[60414] in North American Network Operators' Group

Re: RPC errors and latest worm

daemon@ATHENA.MIT.EDU (Stewart, William C (Bill), RTSLS)Mon Aug 11 19:37:59 2003

daemon@ATHENA.MIT.EDU (Stewart, William C (Bill), RTSLS)
Mon Aug 11 19:37:59 2003