[Dshield] Nessus Plugin and TCP 135 Question

Phil.Rodrigues@uconn.edu Phil.Rodrigues at uconn.edu
Wed Aug 13 19:04:54 GMT 2003

Hi all,

Two students here (Keith Bessette and Lina Pezzella) have tweaked Nessus 
plugin #11808 to return more accurate info about RPC-DCOM vulnerabilities, 
especially when scanning Windows 95/98/ME computers (that Nessus 
previously reported as "vulnerable").  It now returns the same basic info 
as v1.04 of EEye's tool.  Find it at:


We have developed a webpage to help support staff respond to the 
Stealther.Trojan compromises, MS Blast infections, and RPC-DCOM 
vulnerabilities in our network.  It may be useful to others:


We have noticed that a large number of our Windows 2000 hosts seems to 
have had TCP 135 close when RPC crashed after the worm tried 
unsuccessfully to use the Win XP offset to compromise them.  Since these 
hosts no longer have TCP 135 open they do not appear as "Vulnerable" to 
our scanners, and thus we are passing over them in our sweeps.  However, 
the guess is they will be vulnerable after they reboot and therefore are 
still at risk of being infected.  Anyone have a solution to this?


Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues at uconn.edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu

More information about the list mailing list