FW: [Dshield] IRC port 135 attack

Keith Bergen keith at keithbergen.com
Wed Aug 20 16:31:31 GMT 2003


We continue to get attacked. I have a question.

Are exploited machines keeping TCP 4444 open? If so, then our port scanner
bot can block infected users. We can't block TCP 135 since that is basically
every Windows machine ever made.

I also heard that another strain had TCP 707 open. Is that true?

Keith.

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Keith Bergen
Sent: Tuesday, August 19, 2003 7:39 PM
To: 'General DShield Discussion List'
Subject: [Dshield] IRC port 135 attack


Well, it looks like some folks have merged some of the more popular IRC
attacks (fizzer etc) with the most popular exploit (DCOM RPC 135).

We have gotten attacked by thousands of "bots" on our network all day. They
join the network, and then join various channels, change nicks, and
generally obfuscate their hostmasks.

We're still battling them, but basically we still need our ISPS to block
vulnerable systems at the routers. Otherwise, we're still taking the hit for
them.

In short, 135 has mutated, and merged with other exploits.

Keith.

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list