[unisog] multi-exploit IRC bot popular attack vectors?

Jason Richardson A00JER1 at wpo.cso.niu.edu
Fri Apr 9 19:01:51 GMT 2004


Is anyone else using ACLs on their edge and internal routers to block
traffic to and from these ports?  We have been using ACLs to block
Netbios and SMB at our edge and to block the same traffic from the
residence halls to our admin network for several months.  On Tuesday we
added ports 1025,2556,2745,and 3127-3198 to the ACLs for the routers
providing service to the residence halls.  Ever since then, a few
students have been complaining about connections dropping after some
period of network use that is only remedied by a reboot.  We were
wondering whether anyone else using ACLs on their routers or switches
has experienced the same thing and, if so, how did you remedy it.

Thanks in advance,

---
Jason Richardson, J.D., CISSP, CISM, CNE
Manager, IT Security and Client Development
Enterprise Systems Support
Northern Illinois University
Voice: 815-753-1678
Fax: 815-753-2555
jasrich at niu.edu

>>> Clarke Morledge <chmorl at wm.edu> 4/7/2004 4:56:33 PM >>>
OK.  I'm just trying to sort out the various known attack vectors for
the
latest IRC bot,Phabot,Agobot , etc. variant of the week.

According to the ISC Handler's Diary:

http://isc.sans.org/diary.php?date=2004-04-01 

folks are seeing overflow attacks on 1025, 135, 139, 2745, 3127, 445,
6129, 80, 8080.   I know I'm missing some of these so I was hoping
others
on the list could fill in the blanks:

135, 139, 445	RPC DCOM,  anything else??
1025		????  (some have suggested RPC DCOM -- confirmations?)
2745		Beagle backdoor
3127		MyDoom backdoor
6129		DameWare
80		WebDAV
8080		???? (other WebDAV -- maybe??)

I know that this is a moving target, but can anyone fill in my
question
marks, or make other appropriate changes/additions?

Thanks.


Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187




More information about the unisog mailing list