[Dshield] msblaster

Johannes B. Ullrich jullrich at sans.org
Sat Aug 16 22:05:33 GMT 2003


This message was converted from multipart/signed to ascii armored
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Sat, 2003-08-16 at 17:40, Pagarb at aol.com wrote:
> this might be premature, but a system I was working that had msblaster on it

Finding 'blaster' on a system indicates that it had a vulnerable version
of RPC DCOM installed. As a result, any of the auto-rooters in
cirulcation could have infected it. No telling what's on your system.
But I strongly recommend a complete rebuild. If authorities are
interested, you may want to secure the system as evidence.

This makes a point I did bring up a couple of times during the last
week:

If at all possible, rebuild infected systems from scratch after making a
backup. Your system was vulnerable to at least half a dozen of auto
rooters, irc bots and what else you would like to call them.



-- 
SANS - Internet Storm Center
http://isc.sans.org
PGP Key: http://isc.sans.org/jullrich.txt

-------BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA/PqqtR1p7hYJvB/wRAok4AJ4p50r8Ov2CGYcU4NmCERNRN659cACfS9dV
HuRPjjgWhHrZoQJvUUX/nyk-----END PGP SIGNATURE-----

--
SHA1



More information about the list mailing list