[Dshield] Re: DCOM Question

Kenneth Coney superc at visuallink.com
Mon Aug 4 19:20:19 GMT 2003


I simply closed ALL ports other than the 18 or so I think I need.  Saved a
lot of work.

list-request at dshield.org wrote:
> 
> Send list mailing list submissions to
>         list at dshield.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://www.dshield.org/mailman/listinfo/list
> or, via email, send a message with subject or body 'help' to
>         list-request at dshield.org
> 
> You can reach the person managing the list at
>         list-owner at dshield.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of list digest..."
> 
>   ---------------------------------------------------------------------------
> Today's Topics:
> 
>    1. Re: crippled POP3 service: is this legal? (Kenneth Coney)
>    2. Patriot spies? (Kenneth Coney)
>    3. RE: port 135 / RPC DCOM update (Doug Goss)
>    4. Re: Patriot spies? (Rick Klinge)
>    5. Re: Re: [Dshield] Dcom (R Shady)
>    6. Re: Re: [Dshield] Dcom (R Shady)
>    7. Re: Patriot spies? (Jeff Kell)
>    8. Re: Patriot spies? (Johannes Ullrich)
>    9. DCOM Question... (Richard Golodner)
>   10. Re: DCOM Question... (Johannes Ullrich)
> 
>   ---------------------------------------------------------------------------
> 
> Subject: [Dshield] Re: crippled POP3 service: is this legal?
> Date: Sun, 03 Aug 2003 13:36:09 -0400
> From: Kenneth Coney <superc at VISUALLINK.COM>
> Reply-To: General DShield Discussion List <list at dshield.org>
> To: list at dshield.org
> References: <200308031604.h73G4KH18186 at viper.incidents.org>
> 
> I gather you don't use a program that simply saves your email to your own
> hard drive like the Netscape 4.7 series does?
> 
> BTW, I wouldn't send anyone to Hotmail.  Yes, they allow free storage of up
> to 2 megs.  However, your email buffer fills in only a few days as the new
> hot mail address is apparently shared with the spammers.  I created a
> hotmail address once, didn't use it and logged back in 3 hours later and it
> had about a dozen spam mails in it before I could use it.  My suspicion is
> email account names are distributed to spammers by Hotmail.  Spam mail is
> supposedly removed there every 7 days, but your junk mail box will eat your
> buffer in 3 as Hotmail wants you to give them a credit card number to pay
> for more storage.  (FYI, that doesn't help and I am told it merely opens
> the floodgate for a larger flood of email while you receive encouragement
> from Hotmail to spend even more money on more storage space.)  If you
> created a Hotmail address you would spend time every 3 days removing the
> junk mail least your mail box be full, and therefore no longer capable of
> storing mail and the Hotmail system would be forced to auto delete your
> stored messages to make more room for the spammers.
> 
> A much better option is @yahoo.com  The mailbox is much larger and their
> spam filters (called bulk mail there) are much friendlier.
> 
>   ---------------------------------------------------------------------------
> 
> Subject: [Dshield] Patriot spies?
> Date: Sun, 03 Aug 2003 13:52:49 -0400
> From: Kenneth Coney <superc at visuallink.com>
> Reply-To: General DShield Discussion List <list at dshield.org>
> To: list at dshield.org
> References: <200308031604.h73G4KH18186 at viper.incidents.org>
> 
> Seems to me there should be a way of clone spoofing the email address so
> two deliveries are made at once to 2 different locations, like when a cell
> phone or pager is cloned and a simple pencil recorder would give them the
> next address to clone.
> 
> Rick Klinge said
> 
> > Currently, the only way the Patriot spies can read your email is to place
> an
> > intercept online or serve the ISP with papers requiring them to forward a
> copy
> > of all your email to an address provided by the spy agency.
> >
> 
> There's the kicker 'Currently'.. fwiw, I believe Cisco has already produced
> software/routers that will allow for the 'wire tap' functionality of all
> traffic.  One could easily implement the Majic Lantern or Aardvark projects
> at that level and trigger intercept via packet analysis - in real time.
> Further rapid response, DHS personnel, could then act upon the data faster
> then a 911 distress call.  Pretty much Buck Rogers stuff for sure.  The
> other problem is the physical evidence portion of this.. which pulls this
> OT
> thread way Off Topic. ;-)
> 
> ~Rick
> 
> ___________________________________________________________________
> Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.
> 
>   ---------------------------------------------------------------------------
> 
> Subject: RE: [Dshield] port 135 / RPC DCOM update
> Date: Mon, 4 Aug 2003 07:19:15 +1200
> From: Doug Goss <dgoss at beca.co.nz>
> Reply-To: General DShield Discussion List <list at dshield.org>
> To: "'General DShield Discussion List'" <list at dshield.org>
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Symantec have just released this under Latest Virus Threats
> 
> Backdoor.IRC.Cirebot
> http://www.sarc.com/avcenter/venc/data/backdoor.irc.cirebot.html
> Discovered on: August 02, 2003
> Last Updated on: August 03, 2003 01:06:29 AM
> 
> Backdoor.IRC.Cirebot is a threat which exploits the Microsoft DCOM
> RPC vulnerability (described in Microsoft Security Bulletin MS03-026)
> to install a backdoor Trojan Horse on vulnerable systems.
> Backdoor.IRC.Cirebot consists of a Backdoor component, and a Hacktool
> component which installs the backdoor on systems which are vulnerable
> to the exploit.
> 
> Doug Goss
> 
> -----BEGIN PGP SIGNATURE-----
> Version: 6.5.8ckt
> 
> iQA/AwUBPyy4UYnqsflaz10wEQJUqgCgi9uSLi+/3aZqwBuTx6uiqN3QCQ8An3do
> y7EquYKVWToHr7tsEMEscHC0
> =n/xr
> -----END PGP SIGNATURE-----
> 
> #############################################################################
> Notice:
> This e-mail message is only intended to be read by the named recipient.  It
> may contain information which is confidential, proprietary or the subject of
> legal privilege.  If you are not the intended recipient please notify the
> sender immediately and delete this e-mail.  You may not use any information
> contained in it.  Legal privilege is not waived because you have read this
> e-mail.
> 
> For further information on the Beca Group of Companies, visit our web page
> http://www.beca.co.nz
> #############################################################################
> 
>   ---------------------------------------------------------------------------
> 
> Subject: Re: [Dshield] Patriot spies?
> Date: Sun, 3 Aug 2003 14:58:11 -0500
> From: "Rick Klinge" <rick at jaray.net>
> Reply-To: General DShield Discussion List <list at dshield.org>
> To: "General DShield Discussion List" <list at dshield.org>
> References: <200308031604.h73G4KH18186 at viper.incidents.org>
>      <3F2D4BF1.BCE872C5 at visuallink.com>
> 
> ----- Original Message -----
> From: "Kenneth Coney" <superc at visuallink.com>
> To: <list at dshield.org>
> Sent: Sunday, August 03, 2003 12:52 PM
> Subject: [Dshield] Patriot spies?
> 
> > Seems to me there should be a way of clone spoofing the email address so
> > two deliveries are made at once to 2 different locations, like when a cell
> > phone or pager is cloned and a simple pencil recorder would give them the
> > next address to clone.
> >
> 
> Huh?  I don't get it..  I would think one would just sniff the packet stream
> and trigger upon pre selected data.  At that point capture the data, log the
> traffic, send notify DHS via secured snpp, create a response order for the
> dispatcher, plot DHS personnel and assets via gps, and so forth and so
> forth...  but this of course this is just fiction at the point.  Right?
> 
> ___________________________________________________________________
> Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.
> 
>   ---------------------------------------------------------------------------
> 
> Subject: Re: [dshield] Re: [Dshield] Dcom
> Date: Sun, 03 Aug 2003 17:16:26 -0400
> From: R Shady <RShady at stny.rr.com>
> Reply-To: General DShield Discussion List <list at dshield.org>
> To: General DShield Discussion List <list at dshield.org>
> References: <9F3B43C638622B45B013654517B61D9B064A69 at banana-jr-6k.nmefdn.org>
>      <000701c359c3$d1a43400$5331f842 at computer>
> 
> If memory serves me correctly, DCOM is not installed (default-wise) on
> Windows 98.  I believe you have to install it as one of the components
> in Add/Remove programs or download load.  There is a special DCOM
> application for Win98.  If you installed DCOM on Win98 and then you
> upgrade to Win98 second edition, the DCOM settings are not retained.  See:
> 
> http://support.microsoft.com/default.aspx?scid=kb;en-us;233149
> 
> newsdesk wrote:
> > I have installed it on my WIN98 system, but did not configure it. Now I am getting error messages to change my network authorizations, including sharing files and printers. I do not have a network and don't know which direction to go. Uninstall and reinstall? or just leave off machine. It came on my new Norton Internet Security 2003 CD. Also, I wonder why Win98 was not listed in the affected OS for the patch.
> > thanks
> >
> > (first post)
> >   ----- Original Message -----
> >   From: Paul Marsh
> >   To: General DShield Discussion List
> >   Sent: Friday, August 01, 2003 8:34 AM
> >   Subject: RE: [Dshield] Dcom
> >
> >
> >   My sentiments exactly, patch those systems!  I've also been looking around and found that there is a dcom for Win98 http://www.microsoft.com/com/dcom/dcom98/dcom1_3.asp but who really knows how many users have installed it.
> >
> >   -----Original Message-----
> >   From: Johannes Ullrich [mailto:jullrich at euclidian.com]
> >   Sent: Friday, August 01, 2003 9:17 AM
> >   To: General DShield Discussion List
> >   Subject: Re: [Dshield] Dcom
> >
> >
> >   On Fri, 2003-08-01 at 08:47, Paul Marsh wrote:
> >   > I'm starting to hear rumblings that dcom is
> >   > exploitable on port 80, does anyone know if
> >   > there is any truth behind it?
> >
> >   yes it is. But AFAIK, this is not enabled by default,
> >   and the currently circulated exploits (dcom.c based)
> >   are not using this port.
> >
> >   However, this does bring up the fact that you need
> >   to patch. Don't rely on the firewall alone. If possible,
> >   just disable RPC.
> >
> >
> >   >
> >   > _______________________________________________
> >   > list mailing list
> >   > list at dshield.org
> >   > To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> >   --
> >   Johannes Ullrich                     jullrich at euclidian.com
> >   pgp key: http://johannes.homepc.org/PGPKEYS
> >
> >   _______________________________________________
> >   list mailing list
> >   list at dshield.org
> >   To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > list mailing list
> > list at dshield.org
> > To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> 
>   ---------------------------------------------------------------------------
> 
> Subject: Re: [dshield] Re: [Dshield] Dcom
> Date: Sun, 03 Aug 2003 17:28:32 -0400
> From: R Shady <RShady at stny.rr.com>
> Reply-To: General DShield Discussion List <list at dshield.org>
> To: General DShield Discussion List <list at dshield.org>
> References: <9F3B43C638622B45B013654517B61D9B064A69 at banana-jr-6k.nmefdn.org>
>      <000701c359c3$d1a43400$5331f842 at computer>
> 
> Sorry, forgot to add this link:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;236354
> 
> newsdesk wrote:
> 
> > I have installed it on my WIN98 system, but did not configure it. Now I am getting error messages to change my network authorizations, including sharing files and printers. I do not have a network and don't know which direction to go. Uninstall and reinstall? or just leave off machine. It came on my new Norton Internet Security 2003 CD. Also, I wonder why Win98 was not listed in the affected OS for the patch.
> > thanks
> >
> > (first post)
> >   ----- Original Message -----
> >   From: Paul Marsh
> >   To: General DShield Discussion List
> >   Sent: Friday, August 01, 2003 8:34 AM
> >   Subject: RE: [Dshield] Dcom
> >
> >
> >   My sentiments exactly, patch those systems!  I've also been looking around and found that there is a dcom for Win98 http://www.microsoft.com/com/dcom/dcom98/dcom1_3.asp but who really knows how many users have installed it.
> >
> >   -----Original Message-----
> >   From: Johannes Ullrich [mailto:jullrich at euclidian.com]
> >   Sent: Friday, August 01, 2003 9:17 AM
> >   To: General DShield Discussion List
> >   Subject: Re: [Dshield] Dcom
> >
> >
> >   On Fri, 2003-08-01 at 08:47, Paul Marsh wrote:
> >   > I'm starting to hear rumblings that dcom is
> >   > exploitable on port 80, does anyone know if
> >   > there is any truth behind it?
> >
> >   yes it is. But AFAIK, this is not enabled by default,
> >   and the currently circulated exploits (dcom.c based)
> >   are not using this port.
> >
> >   However, this does bring up the fact that you need
> >   to patch. Don't rely on the firewall alone. If possible,
> >   just disable RPC.
> >
> >
> >   >
> >   > _______________________________________________
> >   > list mailing list
> >   > list at dshield.org
> >   > To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> >   --
> >   Johannes Ullrich                     jullrich at euclidian.com
> >   pgp key: http://johannes.homepc.org/PGPKEYS
> >
> >   _______________________________________________
> >   list mailing list
> >   list at dshield.org
> >   To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > list mailing list
> > list at dshield.org
> > To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> 
>   ---------------------------------------------------------------------------
> 
> Subject: Re: [Dshield] Patriot spies?
> Date: Mon, 04 Aug 2003 09:44:16 -0400
> From: Jeff Kell <jeff-kell at utc.edu>
> Reply-To: General DShield Discussion List <list at dshield.org>
> To: General DShield Discussion List <list at dshield.org>
> References: <200308031604.h73G4KH18186 at viper.incidents.org>
>      <3F2D4BF1.BCE872C5 at visuallink.com>
> 
> Kenneth Coney wrote:
> 
> > There's the kicker 'Currently'.. fwiw, I believe Cisco has already produced
> > software/routers that will allow for the 'wire tap' functionality of all
> > traffic.
> 
> It's called Remote SPAN, and it's not very universally deployed (yet).
> 
> Jeff
> 
>   ---------------------------------------------------------------------------
> 
> Subject: Re: [Dshield] Patriot spies?
> Date: 04 Aug 2003 10:43:01 -0400
> From: Johannes Ullrich <jullrich at euclidian.com>
> Reply-To: General DShield Discussion List <list at dshield.org>
> To: General DShield Discussion List <list at dshield.org>
> References: <200308031604.h73G4KH18186 at viper.incidents.org>
>      <3F2D4BF1.BCE872C5 at visuallink.com> <3F2E6330.4080403 at utc.edu>
> 
> > It's called Remote SPAN, and it's not very universally
> > deployed (yet).
> 
> There are a number of ways to wiretap a connection. Such a
> 'span port' on a switch is frequently used for intrusion
> detection systems. A 'span port' will see all traffic that
> goes through a switch.
> 
> However, there are other methods:
> - 'tap'. This is essentially a read only connection. Kind of like a hub.
> It can be plugged into an existing ethernet connection (fiber or
> copper).
> 
> - hub. just a simple hub will allow you to 'listen in'. Unlike
> a tap, such a hub allows the listening machine to send data to the
> network with may make it harder to hide.
> 
> Of course, there are numerous other ways. E-mail could just be copied to
> a second account from the mail server, or a sniffer could be installed
> on an existing machine.
> 
> Of course, there are various laws regulating this. In the US, the
> following laws apply:
> 
> - Electronic Privacy Act: It prohibits your ISP from sharing
> any intercepted communications with others (including law
> enforcement). The ISP can be held liable for violating this
> law
> 
> - Wiretap Act: It restricts how anybody is permitted to 'sniff' a
> connection. In general, law enforcement has to have a court order. Even
> an ISP is not permitted to listen in on its own network unless they have
> permission from the user to do so, or they do so in a limited way to
> ensure network security (however, whatever they find is still protected
> by the privacy act). The ISP is not required to notify law enforcement
> of illegal activity, with the only exception of child pornography.
> 
> - constitution (4th amendment). It protects you from unlawful
> wiretapping by the government. However, it does nothing about your ISP
> or other non-govt entities.
> 
> AFAIK, the first Patriot act did not change this all that substantially.
> The only thing that got added is that it permitted the government to
> assist private companies in wiretapping if the private company requests
> this and does not have the ability to do so themselves.
> 
> (no,
> 
> --
> --
> Johannes Ullrich                     jullrich at euclidian.com
> pgp key: http://johannes.homepc.org/PGPKEYS
> --
>    "We regret to inform you that we do not enable any of the
>     security functions within the routers that we install."
>          support at covad.net
> --
> 
>   ---------------------------------------------------------------------------
> 
> Subject: [Dshield] DCOM Question...
> Date: Mon, 4 Aug 2003 11:25:12 -0400
> From: Richard Golodner <RGolodner at Aetea.com>
> Reply-To: General DShield Discussion List <list at dshield.org>
> To: "'list at dshield.org'" <list at dshield.org>
> 
>         I am wondering if someone from the group could update me on what
> ports they are blocking at their firewalls other than the usual 135,
> 137,138,139. All of this patching has gotten to be quite a PIA. Thanks for
> the info...You may email me off list in order to keep the noise level as low
> as possible. kid at aetea.com
>                                                 Sincerely, Richard Golodner
> 
>   ---------------------------------------------------------------------------
> 
> Subject: Re: [Dshield] DCOM Question...
> Date: 04 Aug 2003 11:45:21 -0400
> From: Johannes Ullrich <jullrich at euclidian.com>
> Reply-To: General DShield Discussion List <list at dshield.org>
> To: General DShield Discussion List <list at dshield.org>
> References: <460D28F67915D51184E600508BD8A9E3030E03CB at aeteaexch1.aetea.com>
> 
> If this is for a small company / home user network, you should block
> all inbound traffic unless it is related to an established connection
> (requires statefull firewall).
> 
> You may have to open a limited number of ports for some services (e.g.
> Netmeeting)
> 
> On Mon, 2003-08-04 at 11:25, Richard Golodner wrote:
> >       I am wondering if someone from the group could update me on what
> > ports they are blocking at their firewalls other than the usual 135,
> > 137,138,139. All of this patching has gotten to be quite a PIA. Thanks for
> > the info...You may email me off list in order to keep the noise level as low
> > as possible. kid at aetea.com
> >                                               Sincerely, Richard Golodner
> >
> > _______________________________________________
> > list mailing list
> > list at dshield.org
> > To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> --
> --------------------------------------------------------------
> Johannes Ullrich                     jullrich at euclidian.com
> pgp key: http://johannes.homepc.org/PGPKEYS
> --------------------------------------------------------------
>    "We regret to inform you that we do not enable any of the
>     security functions within the routers that we install."
>          support at covad.net
> --------------------------------------------------------------
> 
>   ---------------------------------------------------------------------------
> _______________________________________________
> list mailing list
> list at dshield.org
> http://www.dshield.org/mailman/listinfo/list

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list





More information about the list mailing list