[Dshield] FW: [TSRadar] Blip: ICMP and Port TCP/135
wbeckham at yahoo.com
Mon Aug 18 14:44:30 GMT 2003
Trusecure has an alert out concerning the recent surge in ICMP probes.
From: "Kennedy, David" <dkennedy at trusecure.com>
Sent: Monday, August 18, 2003 7:37 AM
To: TSRadar at postal.trusecure.com
Subject: [TSRadar] Blip: ICMP and Port TCP/135
-----BEGIN PGP SIGNED MESSAGE-----
PROBLEM: Apparent surge in ICMP probes, possibly in conjunction
with port TCP/135 probes.
PLATFORM: Port TCP/135 traffic targeting Windows hosts w/DCOM
SOLUTION: Log and, if possible, alert on surges in either probes.
ASSESSMENT: Undetermined for ICMP, Port TCP/135 is Red Hot due to
TruSecure is monitoring from multiple sources, including customers, a surge
in ICMP and TCP/135 traffic. The "most benign" explanation is "destination
unreachable" messages from host trying to DOS "windowsupdate.com" due to
Lovesan infections, and Lovesan infected hosts scanning on TCP/135 as they
are powered-up on Monday morning.
The "most malignant" explanation is there is a new RPC/DCOM worm out there
that scans with ICMP and attempts TCP/135 exploits after.
Continued in the "worst case scenario" is the addition of NT4 w/DCOM host to
the infectable/infected population.
We do not have packet capture of either type of probe but if you see this
traffic increasing and can capture packet, please send us some samples. We
do not know the TYPE/CODE combination(s) used for the ICMP traffic. One
open source indicates 218/8 may be the source of much of the early ICMP
One document available on the Internet explaining some of the good vs bad
issues with ICMP is at:
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0
Comment: Hacker=Cybercriminal The definition changed get over it.
-----END PGP SIGNATURE-----
David Kennedy CISSP Director of Research Services TruSecure Corp.
TSRadar mailing list
TSRadar at postal.trusecure.com
More information about the list