[unisog] multi-exploit IRC bot popular attack vectors?

John Kemp kemp at network-services.uoregon.edu
Fri Apr 9 17:53:34 GMT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 07 April 2004 14:56, Clarke Morledge wrote:
> OK.  I'm just trying to sort out the various known attack vectors for the
> latest IRC bot,Phabot,Agobot , etc. variant of the week.
>
> According to the ISC Handler's Diary:
>
> http://isc.sans.org/diary.php?date=2004-04-01
>
> folks are seeing overflow attacks on 1025, 135, 139, 2745, 3127, 445,
> 6129, 80, 8080.   I know I'm missing some of these so I was hoping others
> on the list could fill in the blanks:
>
> 135, 139, 445	RPC DCOM,  anything else??
> 1025		????  (some have suggested RPC DCOM -- confirmations?)
> 2745		Beagle backdoor
> 3127		MyDoom backdoor
> 6129		DameWare
> 80		WebDAV
> 8080		???? (other WebDAV -- maybe??)
>
> I know that this is a moving target, but can anyone fill in my question
> marks, or make other appropriate changes/additions?
>

I believe that the ephemeral port, 1025, is the first port allocated
when *any* service that utilizes RPC is called.

http://support.microsoft.com/default.aspx?scid=kb;en-us;832017

The References section has a link on DCOM.  It appears that 
DCOM utilizes RPC, hence the confusion in the discussions about this.
I think that saying DCOM relies on RPC is accurate.

Checkout the "PortQryv2" on the Microsoft site.  That resource will
show you roughly what applications are mapped to what endpoints.
As an interesting experiment, I took an XP machine down to just
port 135+1025.  After that, I disabled the Task Schedule (like cron),
did "show hidden devices" in the Device Manager and disabled 
Netbios over TCPIP in non-plug-and-play devices, disabled also
in the Network Control Panel, then ran the DeCombobulator from 
GRC.COM, and had a machine that didn't start 135 and 1025.
Note that this breaks DHCP for some reason as well, so I had to 
assign a static.  Still lets you login and surf the web.

Long story short, I believe that either the Task Scheduler process or
the launching of DCOM itself causes that port to appear.  If later you do
certain network things, you will also see the ephemeral port come up.
But since it appears to be grouped with a number of internal services,
it's very difficult to be authoritative about which process is triggering it.

- -- 

John G. Kemp ( kemp at network-services.uoregon.edu )
http://security.uoregon.edu/ mailto:security at uoregon.edu
pgp:C9BE D1C4 9893 1A9E FF1A  B354 77DE E6DC A3CA 7130
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFAduMed97m3KPKcTARAkmPAJ9dC+eWbdTLze+FHCUvYk1qaSCddACePG/a
Fapxg7WqNjx99bRe2cf9GjQ=
=xzE4
-----END PGP SIGNATURE-----



More information about the unisog mailing list