[Dshield] RE: Moving infocon to 'half yellow'

DLackey@pittohio.com DLackey at pittohio.com
Fri Aug 1 23:47:11 GMT 2003

Does anyone have snort signatures for this.  Any help is appreciated.  

-----Original Message-----
From: Johannes B. Ullrich [mailto:jullrich at sans.org] 
Sent: Friday, August 01, 2003 5:32 PM
To: intrusions at sans.org; list at dshield.org
Subject: Moving infocon to 'half yellow'

Ok. We realy couldn't make up our mind ;-). The RPC DCOM issue is serious.
We are seeing it exploited, and work on refining the exploit is in progress.
While the exploit is not in such heavy use as to cause any wide spread
outages at this time, we did set the 'Infocon' up a notch to indicate that
this is your


I can't stress enough, that a patch is probably the only safe thing you can
do at this point. Depending on your configuration, there are a number of
ports that can be used to exploit this vulnerability. The exploits in
circulation at this point are for the most part silent if successful. 

Do not rely on firewalls. There are numerous ways to exploit this issue.
Firewalls will help, but should not be used in lieu of patches. A virus
scanner will most likely not detect the exploit.

SANS - Internet Storm Center
PGP Key: http://isc.sans.org/jullrich.txt

This message is for the designated recipient(s) only and may contain 
privileged, proprietary or otherwise private information.  If you have
received this message in error, please notify the sender immediately and delete the
original.  Any other use of this email is prohibited.  Email is for business use only. 

More information about the list mailing list