[63822] in North American Network Operators' Group
Re: New attack against port 135?
daemon@ATHENA.MIT.EDU (Andrew D Kirch)
Fri Oct 10 13:40:51 2003
Date: Fri, 10 Oct 2003 12:38:48 -0500
From: Andrew D Kirch <trelane@2mbit.com>
To: nanog@merit.edu
In-Reply-To: <2147483647.1065792418@titan.net.cmu.edu>
Errors-To: owner-nanog-outgoing@merit.edu
The kiddies have finally exploited the RPC SS/RPC DCOMII exploits that microsoft patched after internal auditing. I first got word of a working exploit about a week ago, but no real confirmation, and I put very little creedance in "<kiddie> I hax0rz your b0x3n!" then scanning went exponentially through the roof. So it lookss like the kiddie's right, I doubt there's a virus perse, more like kiddies hunting for vulnerable boxes to install DDoS trojans on. Anyone who honeypots one of these scans and gets a trojan please notify me and forward it, it would be most helpful. (Also obviously forward to Symantec et al.)
On Fri, 10 Oct 2003 13:26:58 -0400
Peter John Hill <peterjhill@cmu.edu> wrote:
>
> I am seeing lots of scanning of port 135 on my network. 66 byte long packets. Anyone have a name for this? It is less aggressive than the welchia
> scans I have seen. Seems to scan at about 3000 or so flows per 5 minutes.
>
> Thanks
> Peter Hill
> Network Engineer
> Carnegie Mellon
>
--
Andrew D Kirch | trelane@2mbit.com |
Security Admin | Summit Open Source Development Group | www.sosdg.org
