[Dshield] Re: DCOM Question

Keith Bergen keith at keithbergen.com
Mon Aug 4 20:12:18 GMT 2003


I use a linksys router/switch at home. I simply enable the 
limited number of ports that I need available (WEB, Remote 
Desktop). That router provides a limited table where you can 
forward the ports you want. I presume then that all others 
are not open and don't go anywhere since I haven't explicitly 
told the router what to do with them.

Keith.

P.S. Congrats to all those on the list that are on vacation, 
and haven't been considerate enough to subscribe using a free 
service that they won't need to put "on vacation".

---- Original message ----
>Date: Mon, 04 Aug 2003 15:20:19 -0400
>From: Kenneth Coney <superc at visuallink.com>  
>Subject: [Dshield] Re: DCOM Question  
>To: list at dshield.org
>
>I simply closed ALL ports other than the 18 or so I think I 
need.  Saved a
>lot of work.
>
>list-request at dshield.org wrote:
>> 
>> Send list mailing list submissions to
>>         list at dshield.org
>> 
>> To subscribe or unsubscribe via the World Wide Web, visit
>>         http://www.dshield.org/mailman/listinfo/list
>> or, via email, send a message with subject or body 'help' 
to
>>         list-request at dshield.org
>> 
>> You can reach the person managing the list at
>>         list-owner at dshield.org
>> 
>> When replying, please edit your Subject line so it is more 
specific
>> than "Re: Contents of list digest..."
>> 
>>   ---------------------------------------------------------
------------------
>> Today's Topics:
>> 
>>    1. Re: crippled POP3 service: is this legal? (Kenneth 
Coney)
>>    2. Patriot spies? (Kenneth Coney)
>>    3. RE: port 135 / RPC DCOM update (Doug Goss)
>>    4. Re: Patriot spies? (Rick Klinge)
>>    5. Re: Re: [Dshield] Dcom (R Shady)
>>    6. Re: Re: [Dshield] Dcom (R Shady)
>>    7. Re: Patriot spies? (Jeff Kell)
>>    8. Re: Patriot spies? (Johannes Ullrich)
>>    9. DCOM Question... (Richard Golodner)
>>   10. Re: DCOM Question... (Johannes Ullrich)
>> 
>>   ---------------------------------------------------------
------------------
>> 
>> Subject: [Dshield] Re: crippled POP3 service: is this 
legal?
>> Date: Sun, 03 Aug 2003 13:36:09 -0400
>> From: Kenneth Coney <superc at VISUALLINK.COM>
>> Reply-To: General DShield Discussion List 
<list at dshield.org>
>> To: list at dshield.org
>> References: <200308031604.h73G4KH18186 at viper.incidents.org>
>> 
>> I gather you don't use a program that simply saves your 
email to your own
>> hard drive like the Netscape 4.7 series does?
>> 
>> BTW, I wouldn't send anyone to Hotmail.  Yes, they allow 
free storage of up
>> to 2 megs.  However, your email buffer fills in only a few 
days as the new
>> hot mail address is apparently shared with the spammers.  
I created a
>> hotmail address once, didn't use it and logged back in 3 
hours later and it
>> had about a dozen spam mails in it before I could use it.  
My suspicion is
>> email account names are distributed to spammers by 
Hotmail.  Spam mail is
>> supposedly removed there every 7 days, but your junk mail 
box will eat your
>> buffer in 3 as Hotmail wants you to give them a credit 
card number to pay
>> for more storage.  (FYI, that doesn't help and I am told 
it merely opens
>> the floodgate for a larger flood of email while you 
receive encouragement
>> from Hotmail to spend even more money on more storage 
space.)  If you
>> created a Hotmail address you would spend time every 3 
days removing the
>> junk mail least your mail box be full, and therefore no 
longer capable of
>> storing mail and the Hotmail system would be forced to 
auto delete your
>> stored messages to make more room for the spammers.
>> 
>> A much better option is @yahoo.com  The mailbox is much 
larger and their
>> spam filters (called bulk mail there) are much friendlier.
>> 
>>   ---------------------------------------------------------
------------------
>> 
>> Subject: [Dshield] Patriot spies?
>> Date: Sun, 03 Aug 2003 13:52:49 -0400
>> From: Kenneth Coney <superc at visuallink.com>
>> Reply-To: General DShield Discussion List 
<list at dshield.org>
>> To: list at dshield.org
>> References: <200308031604.h73G4KH18186 at viper.incidents.org>
>> 
>> Seems to me there should be a way of clone spoofing the 
email address so
>> two deliveries are made at once to 2 different locations, 
like when a cell
>> phone or pager is cloned and a simple pencil recorder 
would give them the
>> next address to clone.
>> 
>> Rick Klinge said
>> 
>> > Currently, the only way the Patriot spies can read your 
email is to place
>> an
>> > intercept online or serve the ISP with papers requiring 
them to forward a
>> copy
>> > of all your email to an address provided by the spy 
agency.
>> >
>> 
>> There's the kicker 'Currently'.. fwiw, I believe Cisco has 
already produced
>> software/routers that will allow for the 'wire tap' 
functionality of all
>> traffic.  One could easily implement the Majic Lantern or 
Aardvark projects
>> at that level and trigger intercept via packet analysis - 
in real time.
>> Further rapid response, DHS personnel, could then act upon 
the data faster
>> then a 911 distress call.  Pretty much Buck Rogers stuff 
for sure.  The
>> other problem is the physical evidence portion of this.. 
which pulls this
>> OT
>> thread way Off Topic. ;-)
>> 
>> ~Rick
>> 
>> 
______________________________________________________________
_____
>> Virus Scanned and Filtered by http://www.FamHost.com E-
Mail System.
>> 
>>   ---------------------------------------------------------
------------------
>> 
>> Subject: RE: [Dshield] port 135 / RPC DCOM update
>> Date: Mon, 4 Aug 2003 07:19:15 +1200
>> From: Doug Goss <dgoss at beca.co.nz>
>> Reply-To: General DShield Discussion List 
<list at dshield.org>
>> To: "'General DShield Discussion List'" <list at dshield.org>
>> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> Symantec have just released this under Latest Virus Threats
>> 
>> Backdoor.IRC.Cirebot
>> 
http://www.sarc.com/avcenter/venc/data/backdoor.irc.cirebot.ht
ml
>> Discovered on: August 02, 2003
>> Last Updated on: August 03, 2003 01:06:29 AM
>> 
>> Backdoor.IRC.Cirebot is a threat which exploits the 
Microsoft DCOM
>> RPC vulnerability (described in Microsoft Security 
Bulletin MS03-026)
>> to install a backdoor Trojan Horse on vulnerable systems.
>> Backdoor.IRC.Cirebot consists of a Backdoor component, and 
a Hacktool
>> component which installs the backdoor on systems which are 
vulnerable
>> to the exploit.
>> 
>> Doug Goss
>> 
>> -----BEGIN PGP SIGNATURE-----
>> Version: 6.5.8ckt
>> 
>> 
iQA/AwUBPyy4UYnqsflaz10wEQJUqgCgi9uSLi+/3aZqwBuTx6uiqN3QCQ8An3
do
>> y7EquYKVWToHr7tsEMEscHC0
>> =n/xr
>> -----END PGP SIGNATURE-----
>> 
>> 
##############################################################
###############
>> Notice:
>> This e-mail message is only intended to be read by the 
named recipient.  It
>> may contain information which is confidential, proprietary 
or the subject of
>> legal privilege.  If you are not the intended recipient 
please notify the
>> sender immediately and delete this e-mail.  You may not 
use any information
>> contained in it.  Legal privilege is not waived because 
you have read this
>> e-mail.
>> 
>> For further information on the Beca Group of Companies, 
visit our web page
>> http://www.beca.co.nz
>> 
##############################################################
###############
>> 
>>   ---------------------------------------------------------
------------------
>> 
>> Subject: Re: [Dshield] Patriot spies?
>> Date: Sun, 3 Aug 2003 14:58:11 -0500
>> From: "Rick Klinge" <rick at jaray.net>
>> Reply-To: General DShield Discussion List 
<list at dshield.org>
>> To: "General DShield Discussion List" <list at dshield.org>
>> References: <200308031604.h73G4KH18186 at viper.incidents.org>
>>      <3F2D4BF1.BCE872C5 at visuallink.com>
>> 
>> ----- Original Message -----
>> From: "Kenneth Coney" <superc at visuallink.com>
>> To: <list at dshield.org>
>> Sent: Sunday, August 03, 2003 12:52 PM
>> Subject: [Dshield] Patriot spies?
>> 
>> > Seems to me there should be a way of clone spoofing the 
email address so
>> > two deliveries are made at once to 2 different 
locations, like when a cell
>> > phone or pager is cloned and a simple pencil recorder 
would give them the
>> > next address to clone.
>> >
>> 
>> Huh?  I don't get it..  I would think one would just sniff 
the packet stream
>> and trigger upon pre selected data.  At that point capture 
the data, log the
>> traffic, send notify DHS via secured snpp, create a 
response order for the
>> dispatcher, plot DHS personnel and assets via gps, and so 
forth and so
>> forth...  but this of course this is just fiction at the 
point.  Right?
>> 
>> 
______________________________________________________________
_____
>> Virus Scanned and Filtered by http://www.FamHost.com E-
Mail System.
>> 
>>   ---------------------------------------------------------
------------------
>> 
>> Subject: Re: [dshield] Re: [Dshield] Dcom
>> Date: Sun, 03 Aug 2003 17:16:26 -0400
>> From: R Shady <RShady at stny.rr.com>
>> Reply-To: General DShield Discussion List 
<list at dshield.org>
>> To: General DShield Discussion List <list at dshield.org>
>> References: <9F3B43C638622B45B013654517B61D9B064A69 at banana-
jr-6k.nmefdn.org>
>>      <000701c359c3$d1a43400$5331f842 at computer>
>> 
>> If memory serves me correctly, DCOM is not installed 
(default-wise) on
>> Windows 98.  I believe you have to install it as one of 
the components
>> in Add/Remove programs or download load.  There is a 
special DCOM
>> application for Win98.  If you installed DCOM on Win98 and 
then you
>> upgrade to Win98 second edition, the DCOM settings are not 
retained.  See:
>> 
>> http://support.microsoft.com/default.aspx?scid=kb;en-
us;233149
>> 
>> newsdesk wrote:
>> > I have installed it on my WIN98 system, but did not 
configure it. Now I am getting error messages to change my 
network authorizations, including sharing files and printers. 
I do not have a network and don't know which direction to go. 
Uninstall and reinstall? or just leave off machine. It came 
on my new Norton Internet Security 2003 CD. Also, I wonder 
why Win98 was not listed in the affected OS for the patch.
>> > thanks
>> >
>> > (first post)
>> >   ----- Original Message -----
>> >   From: Paul Marsh
>> >   To: General DShield Discussion List
>> >   Sent: Friday, August 01, 2003 8:34 AM
>> >   Subject: RE: [Dshield] Dcom
>> >
>> >
>> >   My sentiments exactly, patch those systems!  I've also 
been looking around and found that there is a dcom for Win98 
http://www.microsoft.com/com/dcom/dcom98/dcom1_3.asp but who 
really knows how many users have installed it.
>> >
>> >   -----Original Message-----
>> >   From: Johannes Ullrich [mailto:jullrich at euclidian.com]
>> >   Sent: Friday, August 01, 2003 9:17 AM
>> >   To: General DShield Discussion List
>> >   Subject: Re: [Dshield] Dcom
>> >
>> >
>> >   On Fri, 2003-08-01 at 08:47, Paul Marsh wrote:
>> >   > I'm starting to hear rumblings that dcom is
>> >   > exploitable on port 80, does anyone know if
>> >   > there is any truth behind it?
>> >
>> >   yes it is. But AFAIK, this is not enabled by default,
>> >   and the currently circulated exploits (dcom.c based)
>> >   are not using this port.
>> >
>> >   However, this does bring up the fact that you need
>> >   to patch. Don't rely on the firewall alone. If 
possible,
>> >   just disable RPC.
>> >
>> >
>> >   >
>> >   > _______________________________________________
>> >   > list mailing list
>> >   > list at dshield.org
>> >   > To change your subscription options (or 
unsubscribe), see: 
http://www.dshield.org/mailman/listinfo/list
>> >   --
>> >   Johannes Ullrich                     
jullrich at euclidian.com
>> >   pgp key: http://johannes.homepc.org/PGPKEYS
>> >
>> >   _______________________________________________
>> >   list mailing list
>> >   list at dshield.org
>> >   To change your subscription options (or unsubscribe), 
see: http://www.dshield.org/mailman/listinfo/list
>> >
>> >
>> >
>> > ---------------------------------------------------------
---------------
>> >
>> > _______________________________________________
>> > list mailing list
>> > list at dshield.org
>> > To change your subscription options (or unsubscribe), 
see: http://www.dshield.org/mailman/listinfo/list
>> 
>>   ---------------------------------------------------------
------------------
>> 
>> Subject: Re: [dshield] Re: [Dshield] Dcom
>> Date: Sun, 03 Aug 2003 17:28:32 -0400
>> From: R Shady <RShady at stny.rr.com>
>> Reply-To: General DShield Discussion List 
<list at dshield.org>
>> To: General DShield Discussion List <list at dshield.org>
>> References: <9F3B43C638622B45B013654517B61D9B064A69 at banana-
jr-6k.nmefdn.org>
>>      <000701c359c3$d1a43400$5331f842 at computer>
>> 
>> Sorry, forgot to add this link:
>> http://support.microsoft.com/default.aspx?scid=kb;en-
us;236354
>> 
>> newsdesk wrote:
>> 
>> > I have installed it on my WIN98 system, but did not 
configure it. Now I am getting error messages to change my 
network authorizations, including sharing files and printers. 
I do not have a network and don't know which direction to go. 
Uninstall and reinstall? or just leave off machine. It came 
on my new Norton Internet Security 2003 CD. Also, I wonder 
why Win98 was not listed in the affected OS for the patch.
>> > thanks
>> >
>> > (first post)
>> >   ----- Original Message -----
>> >   From: Paul Marsh
>> >   To: General DShield Discussion List
>> >   Sent: Friday, August 01, 2003 8:34 AM
>> >   Subject: RE: [Dshield] Dcom
>> >
>> >
>> >   My sentiments exactly, patch those systems!  I've also 
been looking around and found that there is a dcom for Win98 
http://www.microsoft.com/com/dcom/dcom98/dcom1_3.asp but who 
really knows how many users have installed it.
>> >
>> >   -----Original Message-----
>> >   From: Johannes Ullrich [mailto:jullrich at euclidian.com]
>> >   Sent: Friday, August 01, 2003 9:17 AM
>> >   To: General DShield Discussion List
>> >   Subject: Re: [Dshield] Dcom
>> >
>> >
>> >   On Fri, 2003-08-01 at 08:47, Paul Marsh wrote:
>> >   > I'm starting to hear rumblings that dcom is
>> >   > exploitable on port 80, does anyone know if
>> >   > there is any truth behind it?
>> >
>> >   yes it is. But AFAIK, this is not enabled by default,
>> >   and the currently circulated exploits (dcom.c based)
>> >   are not using this port.
>> >
>> >   However, this does bring up the fact that you need
>> >   to patch. Don't rely on the firewall alone. If 
possible,
>> >   just disable RPC.
>> >
>> >
>> >   >
>> >   > _______________________________________________
>> >   > list mailing list
>> >   > list at dshield.org
>> >   > To change your subscription options (or 
unsubscribe), see: 
http://www.dshield.org/mailman/listinfo/list
>> >   --
>> >   Johannes Ullrich                     
jullrich at euclidian.com
>> >   pgp key: http://johannes.homepc.org/PGPKEYS
>> >
>> >   _______________________________________________
>> >   list mailing list
>> >   list at dshield.org
>> >   To change your subscription options (or unsubscribe), 
see: http://www.dshield.org/mailman/listinfo/list
>> >
>> >
>> >
>> > ---------------------------------------------------------
---------------
>> >
>> > _______________________________________________
>> > list mailing list
>> > list at dshield.org
>> > To change your subscription options (or unsubscribe), 
see: http://www.dshield.org/mailman/listinfo/list
>> 
>>   ---------------------------------------------------------
------------------
>> 
>> Subject: Re: [Dshield] Patriot spies?
>> Date: Mon, 04 Aug 2003 09:44:16 -0400
>> From: Jeff Kell <jeff-kell at utc.edu>
>> Reply-To: General DShield Discussion List 
<list at dshield.org>
>> To: General DShield Discussion List <list at dshield.org>
>> References: <200308031604.h73G4KH18186 at viper.incidents.org>
>>      <3F2D4BF1.BCE872C5 at visuallink.com>
>> 
>> Kenneth Coney wrote:
>> 
>> > There's the kicker 'Currently'.. fwiw, I believe Cisco 
has already produced
>> > software/routers that will allow for the 'wire tap' 
functionality of all
>> > traffic.
>> 
>> It's called Remote SPAN, and it's not very universally 
deployed (yet).
>> 
>> Jeff
>> 
>>   ---------------------------------------------------------
------------------
>> 
>> Subject: Re: [Dshield] Patriot spies?
>> Date: 04 Aug 2003 10:43:01 -0400
>> From: Johannes Ullrich <jullrich at euclidian.com>
>> Reply-To: General DShield Discussion List 
<list at dshield.org>
>> To: General DShield Discussion List <list at dshield.org>
>> References: <200308031604.h73G4KH18186 at viper.incidents.org>
>>      <3F2D4BF1.BCE872C5 at visuallink.com> 
<3F2E6330.4080403 at utc.edu>
>> 
>> > It's called Remote SPAN, and it's not very universally
>> > deployed (yet).
>> 
>> There are a number of ways to wiretap a connection. Such a
>> 'span port' on a switch is frequently used for intrusion
>> detection systems. A 'span port' will see all traffic that
>> goes through a switch.
>> 
>> However, there are other methods:
>> - 'tap'. This is essentially a read only connection. Kind 
of like a hub.
>> It can be plugged into an existing ethernet connection 
(fiber or
>> copper).
>> 
>> - hub. just a simple hub will allow you to 'listen in'. 
Unlike
>> a tap, such a hub allows the listening machine to send 
data to the
>> network with may make it harder to hide.
>> 
>> Of course, there are numerous other ways. E-mail could 
just be copied to
>> a second account from the mail server, or a sniffer could 
be installed
>> on an existing machine.
>> 
>> Of course, there are various laws regulating this. In the 
US, the
>> following laws apply:
>> 
>> - Electronic Privacy Act: It prohibits your ISP from 
sharing
>> any intercepted communications with others (including law
>> enforcement). The ISP can be held liable for violating this
>> law
>> 
>> - Wiretap Act: It restricts how anybody is permitted 
to 'sniff' a
>> connection. In general, law enforcement has to have a 
court order. Even
>> an ISP is not permitted to listen in on its own network 
unless they have
>> permission from the user to do so, or they do so in a 
limited way to
>> ensure network security (however, whatever they find is 
still protected
>> by the privacy act). The ISP is not required to notify law 
enforcement
>> of illegal activity, with the only exception of child 
pornography.
>> 
>> - constitution (4th amendment). It protects you from 
unlawful
>> wiretapping by the government. However, it does nothing 
about your ISP
>> or other non-govt entities.
>> 
>> AFAIK, the first Patriot act did not change this all that 
substantially.
>> The only thing that got added is that it permitted the 
government to
>> assist private companies in wiretapping if the private 
company requests
>> this and does not have the ability to do so themselves.
>> 
>> (no,
>> 
>> --
>> --
>> Johannes Ullrich                     jullrich at euclidian.com
>> pgp key: http://johannes.homepc.org/PGPKEYS
>> --
>>    "We regret to inform you that we do not enable any of 
the
>>     security functions within the routers that we install."
>>          support at covad.net
>> --
>> 
>>   ---------------------------------------------------------
------------------
>> 
>> Subject: [Dshield] DCOM Question...
>> Date: Mon, 4 Aug 2003 11:25:12 -0400
>> From: Richard Golodner <RGolodner at Aetea.com>
>> Reply-To: General DShield Discussion List 
<list at dshield.org>
>> To: "'list at dshield.org'" <list at dshield.org>
>> 
>>         I am wondering if someone from the group could 
update me on what
>> ports they are blocking at their firewalls other than the 
usual 135,
>> 137,138,139. All of this patching has gotten to be quite a 
PIA. Thanks for
>> the info...You may email me off list in order to keep the 
noise level as low
>> as possible. kid at aetea.com
>>                                                 Sincerely, 
Richard Golodner
>> 
>>   ---------------------------------------------------------
------------------
>> 
>> Subject: Re: [Dshield] DCOM Question...
>> Date: 04 Aug 2003 11:45:21 -0400
>> From: Johannes Ullrich <jullrich at euclidian.com>
>> Reply-To: General DShield Discussion List 
<list at dshield.org>
>> To: General DShield Discussion List <list at dshield.org>
>> References: 
<460D28F67915D51184E600508BD8A9E3030E03CB at aeteaexch1.aetea.com
>
>> 
>> If this is for a small company / home user network, you 
should block
>> all inbound traffic unless it is related to an established 
connection
>> (requires statefull firewall).
>> 
>> You may have to open a limited number of ports for some 
services (e.g.
>> Netmeeting)
>> 
>> On Mon, 2003-08-04 at 11:25, Richard Golodner wrote:
>> >       I am wondering if someone from the group could 
update me on what
>> > ports they are blocking at their firewalls other than 
the usual 135,
>> > 137,138,139. All of this patching has gotten to be quite 
a PIA. Thanks for
>> > the info...You may email me off list in order to keep 
the noise level as low
>> > as possible. kid at aetea.com
>> >                                               Sincerely, 
Richard Golodner
>> >
>> > _______________________________________________
>> > list mailing list
>> > list at dshield.org
>> > To change your subscription options (or unsubscribe), 
see: http://www.dshield.org/mailman/listinfo/list
>> --
>> -----------------------------------------------------------
---
>> Johannes Ullrich                     jullrich at euclidian.com
>> pgp key: http://johannes.homepc.org/PGPKEYS
>> -----------------------------------------------------------
---
>>    "We regret to inform you that we do not enable any of 
the
>>     security functions within the routers that we install."
>>          support at covad.net
>> -----------------------------------------------------------
---
>> 
>>   ---------------------------------------------------------
------------------
>> _______________________________________________
>> list mailing list
>> list at dshield.org
>> http://www.dshield.org/mailman/listinfo/list
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list