[Dshield] 3 Comprehensive links in combat with MSBlaster Worm

Geoff Shively gshively at pivx.com
Tue Aug 12 22:53:30 GMT 2003


Another useful link in the 593 realm of interest:

"Additionally, Todd Sabin, at Bindview, points out correctly that the
RPC/DCOM interface is accessible over any RPC protocol sequence that the
endpoint mapper listens on.  That includes:

o ncacn_ip_tcp :  TCP port 135
o ncadg_ip_udp :  UDP port 135
o ncacn_np     :  \pipe\epmapper, normally accessible via SMB null
                  session on TCP ports 139 and 445
o ncacn_http   : if active, listening on TCP port 593.

"

full thread here:
http://cert.uni-stuttgart.de/archive/intrusions/2003/07/msg00325.html


Cheers,

Geoff Shively, CHO
PivX Solutions, LLC

Are You Secure?
http://www.pivx.com

----- Original Message ----- 
From: "Geoff Shively" <gshively at pivx.com>
To: "General DShield Discussion List" <list at dshield.org>
Cc: <johnh at aproposretail.com>
Sent: Tuesday, August 12, 2003 3:47 PM
Subject: Re: [Dshield] 3 Comprehensive links in combat with MSBlaster Worm


> Yes, Jeff Parker (jeff.t.parker_at_hp.com) wrote on Aug 01, 2003 that
> the DCOM vuln is usable over port 593.
>
> (RPC-over-HTTP)
>
> You can find more information here:
> http://lists.insecure.org/lists/fulldisclosure/2003/Aug/0055.html
>
>
> This is not the first email I received on the DCOM 593 relation, I hope
> people aren't passing this up in their fix routine, it is quite important.
>
> Cheers,
>
> Geoff Shively, CHO
> PivX Solutions, LLC
>
> Are You Secure?
> http://www.pivx.com
>
> ----- Original Message ----- 
> From: "John Hardin" <johnh at aproposretail.com>
> To: "General DShield Discussion List" <list at dshield.org>
> Sent: Tuesday, August 12, 2003 3:19 PM
> Subject: Re: [Dshield] 3 Comprehensive links in combat with MSBlaster Worm
>
>
> > On Tue, 2003-08-12 at 13:06, Geoff Shively wrote:
> > >  block the ports 135 - 139 -445 - 593
> >
> > 593? Wozzat?
> >
> > --
> > John Hardin  KA7OHZ
> > Internal Systems Administrator                    voice: (425) 672-1304
> > Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
> > -----------------------------------------------------------------------
> >   In the Lion
> >   the Mighty Lion
> >   the Zebra sleeps tonight...
> >   Dee de-ee-ee-ee-ee de de de we um umma way!
> > -----------------------------------------------------------------------
> >  9 days until company picnic and AquaSox game
> >
> > _______________________________________________
> > list mailing list
> > list at dshield.org
> > To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> >
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list