[Dshield] FW: [TSRadar] Blip: ICMP and Port TCP/135

Paul Marsh pmarsh at nmefdn.org
Mon Aug 18 14:51:06 GMT 2003


Wayne:

	Do you have a url or an e-mail regarding the alert?

Thanx, Paul

-----Original Message-----
From: Wayne Beckham [mailto:wbeckham at yahoo.com]
Sent: Monday, August 18, 2003 10:45 AM
To: list at dshield.org
Subject: [Dshield] FW: [TSRadar] Blip: ICMP and Port TCP/135


Trusecure has an alert out concerning the recent surge in ICMP probes.

- Wayne

-----Original Message-----
From: "Kennedy, David" <dkennedy at trusecure.com> 
Sent: Monday, August 18, 2003 7:37 AM
To: TSRadar at postal.trusecure.com
Subject: [TSRadar] Blip: ICMP and Port TCP/135


-----BEGIN PGP SIGNED MESSAGE-----

_______________________________________________________________
PROBLEM:     Apparent surge in ICMP probes, possibly in conjunction
with port TCP/135 probes.
PLATFORM:  Port TCP/135 traffic targeting Windows hosts w/DCOM
DAMAGE:    Unknown
SOLUTION:   Log and, if possible, alert on surges in either probes.
_______________________________________________________________
VULNERABILITY  
ASSESSMENT:   Undetermined for ICMP, Port TCP/135 is Red Hot due to
W32/Lovesan _______________________________________________________________

TruSecure is monitoring from multiple sources, including customers, a surge
in ICMP and TCP/135 traffic.  The "most benign" explanation is "destination
unreachable" messages from host trying to DOS "windowsupdate.com" due to
Lovesan infections, and Lovesan infected hosts scanning on TCP/135 as they
are powered-up on Monday morning.  

The "most malignant" explanation is there is a new RPC/DCOM worm out there
that scans with ICMP and attempts TCP/135 exploits after. 
Continued in the "worst case scenario" is the addition of NT4 w/DCOM host to
the infectable/infected population.

We do not have packet capture of either type of probe but if you see this
traffic increasing and can capture packet, please send us some samples.  We
do not know the TYPE/CODE combination(s) used for the ICMP traffic.  One
open source indicates 218/8 may be the source of much of the early ICMP
traffic.

One document available on the Internet explaining some of the good vs bad
issues with ICMP is at: 
http://www.cymru.com/Documents/icmp-messages.html

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0
Comment: Hacker=Cybercriminal The definition changed get over it.

iQCVAwUBP0DkePGfiIQsciJtAQHybQQA0KAANY1VARXtWUF44/XS5iE5zJ/R+/Tv
3++nO1xRAyLYpy2bsSdnvoljkgTwgSLXjQQa3LogNMG+k7cmmV5dC81au8xOeppf
7kua0BdMMsZQqsWW8p8j4AUrLQJFRqMcrUc31NIXO09Q+Ukn2F0TGxdnteJpV9lU
p4weU+SXdmQ=
=hARr
-----END PGP SIGNATURE-----

-- 
David Kennedy CISSP Director of Research Services TruSecure Corp.
http://www.trusecure.com _______________________________________________
TSRadar mailing list
TSRadar at postal.trusecure.com
http://postal.trusecure.com/mailman/listinfo/tsradar


_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list