[Dshield] DCOM morning after

Mrcorp mrcorp at yahoo.com
Tue Aug 12 16:15:15 GMT 2003


Hmm, actually I am stunned that you feel this way.  ;)

Actually, even if its blocked at the firewall, there are still dial up connections, VPN
connections, laptops of users who take them home and bring them in to the office and etc.   There
are always more than one way to catch a worm, or skin a cat...

mrcorp

--- Ben Robson <ben at robson.ph> wrote:
> Am I the only one -stunned- by the number of companies and professional 
> organisations being infected by thisworm?
> 
> Given its infection path is via port 135, and nobody should be 
> permitting this in to or out of their network (filtered at the firewall) 
> this should only be impacting home users (who are less likely to have a 
> firewall).
> 
> What the number of organisaitonal infections tells me is how many 
> organisations -still- don't run even the most rudimentary of firewalls.
> 
> I think some shareholders who get wind of their companies being infected 
> should hang their directors out to dry on this one.
> 
> BenR.
> 
> Stephane Grobety wrote:
> 
> >Hello Jonathan,
> >
> >Tuesday, August 12, 2003, 3:50:22 PM, you wrote:
> >
> >JR> Received: from iceman.incidents.org ([63.100.47.43])
> >JR>         by mail.fulgan.com (Merak 6.0.3) with SMTP id JHA74159
> >JR>         for <security at admin.fulgan.com>; Tue, 12 Aug 2003 16:08:15 +0200
> >JR> Received: (qmail 16700 invoked from network); 12 Aug 2003 14:06:40 -0000
> >JR> Received: from chipper2-int (HELO viper.incidents.org) (10.36.0.2)
> >JR>   by 0 with SMTP; 12 Aug 2003 14:06:40 -0000
> >JR> Received: from localhost.localdomain (chipper2 [127.0.0.1])
> >JR> 	by viper.incidents.org (8.11.6/8.11.6) with ESMTP id h7CE6bH23486;
> >JR> 	Tue, 12 Aug 2003 10:06:37 -0400
> >JR> Received: from dshield.org (charlie [10.51.0.11])
> >JR> 	by viper.incidents.org (8.11.6/8.11.6) with ESMTP id h7CDoXH22100
> >JR> 	for <list at viper.uunet>; Tue, 12 Aug 2003 09:50:34 -0400
> >JR> Received: (qmail 27268 invoked from network); 12 Aug 2003 13:50:28 -0000
> >JR> Received: from mta01.alltel.net (HELO mta01-srv.alltel.net) (166.102.165.143)
> >JR>   by 0 with SMTP; 12 Aug 2003 13:50:28 -0000
> >JR> Received: from abacus.xcorps.net ([166.102.231.57]) by mta01-srv.alltel.net
> >JR>           with ESMTP
> >JR>           id <20030812135024.TNGL17462.mta01-srv.alltel.net at abacus.xcorps.net>
> >JR>           for <list at dshield.org>; Tue, 12 Aug 2003 08:50:24 -0500
> >JR> From: Jonathan Rickman <jonathan at xcorps.net>
> >JR> Organization: X Corps Security
> >JR> To: General DShield Discussion List <list at dshield.org>
> >JR> Subject: Re: [Dshield] DCOM morning after
> >JR> Date: Tue, 12 Aug 2003 09:50:22 -0400
> >JR> User-Agent: KMail/1.5.9.1i
> >JR> References: <9F3B43C638622B45B013654517B61D9B0773A9 at banana-jr-6k.nmefdn.org>
> >JR> In-Reply-To: <9F3B43C638622B45B013654517B61D9B0773A9 at banana-jr-6k.nmefdn.org>
> >JR> MIME-Version: 1.0
> >JR> Content-Disposition: inline
> >JR> Content-Type: text/plain;
> >JR>   charset="iso-8859-1"
> >JR> Content-Transfer-Encoding: 7bit
> >JR> Message-Id: <200308120950.22228.jonathan at xcorps.net>
> >JR> X-Envelope-To: list at dshield.org
> >JR> X-Mailman-Approved-At: Tue, 12 Aug 2003 10:03:26 -0400
> >JR> X-BeenThere: list at dshield.org
> >JR> X-Mailman-Version: 2.1
> >JR> Precedence: list
> >JR> Reply-To: General DShield Discussion List <list at dshield.org>
> >JR> List-Id: General DShield Discussion List <list.dshield.org>
> >JR> List-Unsubscribe: <http://www.dshield.org/mailman/listinfo/list>,
> >JR> 	<mailto:list-request at dshield.org?subject=unsubscribe>
> >JR> List-Archive: <http://www.dshield.org/pipermail/list>
> >JR> List-Post: <mailto:list at dshield.org>
> >JR> List-Help: <mailto:list-request at dshield.org?subject=help>
> >JR> List-Subscribe: <http://www.dshield.org/mailman/listinfo/list>,
> >JR> 	<mailto:list-request at dshield.org?subject=subscribe>
> >JR> Sender: list-bounces at dshield.org
> >JR> Errors-To: list-bounces at dshield.org
> >
> >JR> On Tuesday 12 August 2003 09:07, Paul Marsh wrote:
> >  
> >
> >>>Good Morning All:
> >>>      
> >>>
> >JR> There have been several reports on the incidents list suggesting that
> >JR> patched machines are being infected in some cases.
> >
> >The reason behind this is that windows update only uses the registry
> >to verify wether a patch has been applied or not. If a user has
> >used windows restore point or has installed patches out of order, then
> >it might be that the machine is vulnerable again, but windows update
> >won't detect this.
> >
> >To correct the problem, you can either use one of the free DCOM
> >vulnerability scsanners available and manually re-patch all vulnerable
> >machines or you can use a tool like HFNetChk to do the job for you (it
> >will do a checksum and version check on the files, not trust the
> >registry).
> >
> >That, at least, fixed all machines on my network that where still
> >vulnerable even after being patched. However, if anyone has actually
> >SEEN a machine that is still vulnerable after it was patched (and by
> >that, I mean the last thing you've done on it was manually applied the
> >patch or you've checked the version and checksum of the involved files
> >so you KNOW they are the good ones), then I'd very much like to hear
> >about it.
> >
> >Good luck,
> >Stephane
> >  
> >
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com




More information about the list mailing list